MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e0f712886c0970f0ce44e8c0c658c9e2e40a81cb6e6fa065b52a60b4f080952. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e0f712886c0970f0ce44e8c0c658c9e2e40a81cb6e6fa065b52a60b4f080952
SHA3-384 hash: e85417e2c555afd81989468de94edde25c41f29e35b977e81fcfeaee162b706ce75ff6cd6bcc2507a5c4cf75efb2edbe
SHA1 hash: 0e9433f291b912566b91322ed71a9840f4f726f1
MD5 hash: 82a21ec9a94e04a918eb90466bf0e1f4
humanhash: summer-fruit-lamp-red
File name:82a21ec9a94e04a918eb90466bf0e1f4.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:1'185'280 bytes
First seen:2021-07-20 13:18:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:7hz7A5ETKrvDBVv1cCyeA9ST9e605F4cBm34cFnKvn:FCjSC5HT9evFTBm342Wn
TLSH T13545E0336717AB88ECB883B9A8156044AFF5F407D30ED25D3ED870ED5862F15DBA1A42
Reporter abuse_ch
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://198.23.207.48/obi/can.exe
Verdict:
No threats detected
Analysis date:
2021-07-20 07:33:47 UTC
Tags:
loader
Link:
https://app.any.run/tasks/12c76fee-02fd-47ba-9c71-7e6d3a8b5aef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172839/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/557aed94-2045-4455-9706-d2a851ca21a1
Result
Threat name:
a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818969
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451381 Sample: oUBEzxc4wD.exe Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected a310Logger 2->45 47 2 other signatures 2->47 8 oUBEzxc4wD.exe 3 2->8         started        process3 file4 29 C:\Users\user\AppData\...\oUBEzxc4wD.exe.log, ASCII 8->29 dropped 55 Detected unpacking (creates a PE file in dynamic memory) 8->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->57 59 Injects a PE file into a foreign processes 8->59 12 oUBEzxc4wD.exe 1 3 8->12         started        signatures5 process6 dnsIp7 31 mail.dm-teh.com 104.248.254.21, 49726, 587 DIGITALOCEAN-ASNUS United States 12->31 61 Writes to foreign memory regions 12->61 63 Allocates memory in foreign processes 12->63 65 Tries to steal Crypto Currency Wallets 12->65 67 Injects a PE file into a foreign processes 12->67 16 InstallUtil.exe 8 12->16         started        20 InstallUtil.exe 12->20         started        signatures8 process9 file10 27 C:\Users\user\AppData\...behaviorgraphGulksLg.exe, PE32 16->27 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->33 35 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->35 37 Tries to steal Mail credentials (via file access) 16->37 39 Tries to harvest and steal browser information (history, passwords, etc) 16->39 22 GGulksLg.exe 3 16->22         started        25 WerFault.exe 20->25         started        signatures11 process12 signatures13 49 Antivirus detection for dropped file 22->49 51 Multi AV Scanner detection for dropped file 22->51 53 Machine Learning detection for dropped file 22->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e0f712886c0970f0ce44e8c0c658c9e2e40a81cb6e6fa065b52a60b4f080952/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 06:44:00 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyhxckegyclq6dhej2gayzmmtyxebka4w3tpubs3kktawtyibfja._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210720-57fqaxdv8e/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
11a338d86a42732ee36403a2d0613d14313f7cbc430e054bfdc28a7a1b4364ba
MD5 hash:
80e84b9eab88f2d6f6f411256ecefee7
SHA1 hash:
8ff1a2061e5b5168c4ca83b1029b90e66460d00b
Link:
https://www.unpac.me/results/5b592b29-1c0f-4b26-a5f4-05f103063007/
SH256 hash:
d4171486d7b257c05229a771ade1875ca799a7be4c5cfb949f1471e76347e934
MD5 hash:
fdee60d8f3dbbb6eaf642a8e513e461a
SHA1 hash:
66a7031b3c3c9cd9b4358244d6c895780b2b9aac
Link:
https://www.unpac.me/results/5b592b29-1c0f-4b26-a5f4-05f103063007/
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/5b592b29-1c0f-4b26-a5f4-05f103063007/
SH256 hash:
e2700a776b2f52904940245b0162eb859f54208ec5cf79c4b79c8b978a9bea9f
MD5 hash:
0d5613f48601deb64d4e4cc6bec09662
SHA1 hash:
20aa8c22c0912c4653e8b9464b7208978b8be822
Link:
https://www.unpac.me/results/5b592b29-1c0f-4b26-a5f4-05f103063007/
SH256 hash:
5e0f712886c0970f0ce44e8c0c658c9e2e40a81cb6e6fa065b52a60b4f080952
MD5 hash:
82a21ec9a94e04a918eb90466bf0e1f4
SHA1 hash:
0e9433f291b912566b91322ed71a9840f4f726f1
Link:
https://www.unpac.me/results/5b592b29-1c0f-4b26-a5f4-05f103063007/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e0f712886c0970f0ce44e8c0c658c9e2e40a81cb6e6fa065b52a60b4f080952

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StormKitty

Executable exe 5e0f712886c0970f0ce44e8c0c658c9e2e40a81cb6e6fa065b52a60b4f080952

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1447745/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172839/

Comments