MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 694cc4ed4867a6f50494c7a4228791ff52ba7b086f7b5bbcea3d50032142c8bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 694cc4ed4867a6f50494c7a4228791ff52ba7b086f7b5bbcea3d50032142c8bf
SHA3-384 hash: dae256c350010cfe2299f55f028619f3a9a362a409a4f291c9f2bfc79386d53249cc1c6b047f06293456adc8451b99ca
SHA1 hash: d4abb220ce21eaeb27ee63fe5d4d5700fccf4251
MD5 hash: 984508c5af6bd7744bd767ce822be17a
humanhash: kentucky-east-item-mockingbird
File name:984508c5af6bd7744bd767ce822be17a.bin
Download: download sample
Signature StormKitty
Create hunting rule
File size:2'718'208 bytes
First seen:2023-07-28 06:24:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'654 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 49152:Scim4UhQNIQPFQlA7876XreAvS3Zuu+irFak3ZOsXD+c:Sq4kc46aAq3dFaQjD
Threatray 693 similar samples on MalwareBazaar
TLSH T1EDC5AF5577A4CE06D3AE2776906354180BF1E38672A2E71FEEAB10A72C573701E423E7
TrID 61.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
22.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
4.0% (.SCR) Windows screen saver (13097/50/3)
3.2% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:bin exe RAT StormKitty

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
984508c5af6bd7744bd767ce822be17a.bin
Verdict:
Suspicious activity
Analysis date:
2023-07-28 06:25:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2bbffc1-4c8f-4ddd-bf38-9fa30d3ab302

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent10 Downloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/435809/
Detection(s):
Win.Packed.Adwarex-9851111-0
Create hunting rule

Win.Packed.Bulz-9891112-0
Create hunting rule

Win.Packed.AsyncRAT-9938103-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Adding an access-denied ACE
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
DNS request
Creating a window
Reading critical registry keys
Setting a global event handler for the keyboard
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto evasive explorer lolbin masquerade packed replace
Link:
https://www.filescan.io/uploads/64c35f405154a489a4592ba0/reports/54d16ab8-0373-4fb0-8904-094e9de13463/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.DLAgent10
Link:
https://www.hybrid-analysis.com/sample/694cc4ed4867a6f50494c7a4228791ff52ba7b086f7b5bbcea3d50032142c8bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6b31a6e-a270-4ccf-aaeb-451b9a59e556
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1281613
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/694cc4ed4867a6f50494c7a4228791ff52ba7b086f7b5bbcea3d50032142c8bf/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2023-07-28 06:25:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
16 of 24 (66.67%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfgmj3kim6tpkbeuy6scfb4r75jlu6yin55vxphkhviagikczc7q._file
Verdict:
malicious
Similar samples:
15fedc86e87841c141b113efa635ef5b7d28f7cf906597a60354cd2d3ba85e3b
StormKitty
4b3fd775a80b08650b33e1df27b2dcad6d48740918776c7ff1a8d648927bb226
StormKitty
7cc8ef889a24d8be46158ed9525edb3efe4b872709edfe4c565fb562271969ee
StormKitty
9cab35781360174ec179b142782b298fb5b7b3cf60dda169e5991fb6a86bd3a4
StormKitty
bb90c8c39ba60347b2d5f2a73a11f9c1f9f7e16251ca3098e4c087257bcce09b
StormKitty
bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a
StormKitty
bd213bacf745262d609025230b73d653d2ef62875f28860ea1b4d1a65f5c5cca
StormKitty
+ 683 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:stormkitty stealer
Link:
https://tria.ge/reports/230728-g6mc2sce9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
StormKitty
StormKitty payload
Unpacked files
SH256 hash:
694cc4ed4867a6f50494c7a4228791ff52ba7b086f7b5bbcea3d50032142c8bf
MD5 hash:
984508c5af6bd7744bd767ce822be17a
SHA1 hash:
d4abb220ce21eaeb27ee63fe5d4d5700fccf4251
Detections:
StormKitty
Create hunting rule
Link:
https://www.unpac.me/results/166324fe-c66d-4cec-b7fa-b7bfc58114c8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/694cc4ed4867/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:MALWARE_Win_DLAgent10
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/435809/

Comments