MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303
SHA3-384 hash: ed1eba95f91957ddf1088bbc6b6fb4bbf98d2ed163cf0825dceb28ba227bd703cd370206d788e24b33dd0f4477373b9e
SHA1 hash: 2f973458531aaa283cdc835af4e24f5f709cbad1
MD5 hash: 776193701a2ed869b5f1b6e71970a0ac
humanhash: diet-utah-robert-lamp
File name:file
Download: download sample
Signature StormKitty
Create hunting rule
File size:1'152'000 bytes
First seen:2024-11-27 14:39:08 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 12288:LaoFeouLUFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1a:pFetLic805jbibGATp/j5T
Threatray 34 similar samples on MalwareBazaar
TLSH T1B2355B507BE8D617E1BF23B2E4B20A551BB9F841B362E74F644821E90C62344AE517FF
TrID 62.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.3% (.EXE) Win64 Executable (generic) (10522/11/4)
7.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter jstrosch
Tags:.NET dll MSIL StormKitty


Avatar
jstrosch
Found at hxxp://68.178.207[.]33:8000/RR/XWorm-5.6/Plugins/Recovery.dll by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
415
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
Win.Packed.Msilzilla-10005487-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67472f46b31374f098352b38
Tags:
virus gates msil
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer crypto hacktool obfuscated stealer vbnet venomrat
Link:
https://www.filescan.io/uploads/67472f44059227a3db0d0619/reports/35e1cbc4-62f8-4afe-8510-861a2fc2cfc5/overview
Verdict:
Malicious
Labled as:
Bulz.Generic
Link:
https://www.hybrid-analysis.com/sample/66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c3bc3647-b966-40bc-b7e7-20869c28baa6
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1563889
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected BrowserPasswordDump
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1563889 Sample: file.dll Startdate: 27/11/2024 Architecture: WINDOWS Score: 92 15 Malicious sample detected (through community Yara rule) 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 5 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
33%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303/
Threat name:
ByteCode-MSIL.Backdoor.VenomRAT
Create hunting rule
Status:
Malicious
First seen:
2024-03-13 10:14:03 UTC
File Type:
PE (.Net Dll)
Extracted files:
4
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m3n6hoidoh7frsvjk7udyha7blgosqndntyubihqpzseaporgmbq._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
Similar samples:
522d14faeaa7b2b8886bcd75304ae4db1a9392477e9b465a458f9bfd8cfdd6a3
StormKitty
66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303
StormKitty
6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5
StormKitty
72db350204141827d99c4938c7e38d101e1a2d74250463070a1edbf4e49350bd
StormKitty
96dea95151b45309d8bda1112f842802e852a15ac2173b0023b1ba35deae5ec1
StormKitty
a8602f61da135d8dd308b6acb0338f9b9da4024f9ff302490800af85b242eeed
StormKitty
b6f14127cfa1cdd9fa4e8827ea094235a8328bdbb00d6b934d6832dd61401c7a
StormKitty
e39efc1e1e00404b9ddc7659941af58f417a6383baf12b5878b1da36e46ae55f
StormKitty
error
StormKitty
f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53
StormKitty
+ 24 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:stormkitty
Link:
https://tria.ge/reports/241127-r1w1eatpbr/
Unpacked files
SH256 hash:
66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303
MD5 hash:
776193701a2ed869b5f1b6e71970a0ac
SHA1 hash:
2f973458531aaa283cdc835af4e24f5f709cbad1
Detections:
StormKitty
Create hunting rule
Link:
https://www.unpac.me/results/dbced699-3c36-4867-a97b-55e7a2c440d1/
Parent samples :
66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Windows_Generic_Threat_2bb6f41d
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StormKitty

DLL dll 66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3305452/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments