MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

StormKitty

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce
SHA3-384 hash:	216e3efd5b41b7723633b504b05c08f0bac9b7b3f43d7737eb8eb1b85338e0e25503f9cdb70cf4509cbb8a12a99ff911
SHA1 hash:	9cd0055ad7599440f852329e4ba3f2e6d7b76565
MD5 hash:	1c995e8f4af85982a6bd26019369ef62
humanhash:	ten-item-nevada-whiskey
File name:	1c995e8f_by_Libranalysis
Download:	download sample
Signature	StormKitty Create hunting rule
File size:	888'832 bytes
First seen:	2021-05-25 12:01:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:ArLXExyNhDNORvOl6NLN6ntAhdL6AdTdsVKk+DIHOFfbECdC3bJFO:ArIxyNhD2WwwtADL6GTdk+4oPC3bJ
Threatray	4'785 similar samples on MalwareBazaar
TLSH	F815AD2C106EF622C1A8C2BD0AD4843BF990D7377131BE69ECD31B995719E817D9227E
Reporter	Libranalysis
Tags:	StormKitty

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

n/a

Vendor Threat Intelligence

Detection:

StormKitty

Link:

https://www.capesandbox.com/analysis/161883/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

StormKitty

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/791556

Signature

.NET source code contains very large strings

Allocates memory in foreign processes

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected StormKitty Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-25 12:01:10 UTC

AV detection:

12 of 47 (25.53%)

Threat level:

5/5

Verdict:

malicious

StormKitty

0f97e6f8d53f551a068c3651d0c684f2813ff870b5cad591d536342aaf46a38f

StormKitty

11db354a5d6b15b2aad9747f275e846283c9024a434d2f288e95abfd3ec7dfd7

StormKitty

77d69fc2f79de7f28dfe67e4cb6b7fa1e994a2a16831fd918d3dca53a523f2c1

StormKitty

8e122a7da836e05e954001c5f6e2209aa5e0835ea7af0e08e324e538a075f364

StormKitty

ae66143bb6965a7f1122c8eb776085ce679d038b8dd886f954ecd5e45aff4664

StormKitty

bb4bee5b46aecada1017a93042b3b0fc926f75e8230d4de29f204c9234c98220

StormKitty

c799f0389a7735f958fc02e23c02b1e15094ea9a478583f607bc72ae2e5433cb

StormKitty

d5d6dcf7e05158c3d2abc10588ab6ca17cb2d4082720d8847b28894cafc0ead6

StormKitty

e6678504db885f9146a19df19cf75d3db24776c247c3eabca6f6160f57f5d68e

StormKitty

+ 4'775 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:stormkitty spyware stealer

Link:

https://tria.ge/reports/210525-tbyjhk6gge/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Reads local data of messenger clients

Reads user/profile data of web browsers

Executes dropped EXE

StormKitty

StormKitty Payload

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7db01b21b6b4c6e977c8f96e204495b11d566c780c51198198195ec7045c7dce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/161883/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample