MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746
SHA3-384 hash: 972e26ec205399733d15b0cd922c6359fe02f13e1dd23a44afdbebc15995fed9307c12e2f55570042fb2ff6650bab8ad
SHA1 hash: 3b479f15645c31c7067c31aede6e1802093ac78b
MD5 hash: c7fbe52e88456eabb4d4a1a1a0670cf4
humanhash: rugby-maryland-jupiter-eighteen
File name:c7fbe52e88456eabb4d4a1a1a0670cf4
Download: download sample
Signature StormKitty
Create hunting rule
File size:343'552 bytes
First seen:2023-01-18 22:35:23 UTC
Last seen:2023-01-19 00:42:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:wcjrQ/rcaXeLfKqsmLjCkHhUcuS37N7E+rdR2cFoWIEh89dHHWtjunUU:wcjiuJsmXCkStSLNnRVFopEhAdH2tK
TLSH T1E374BF2A3599CE00C36A15B9C4CF802843E9ED937673DB297E4D33AE49433A7AC557C9
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter zbetcheckin
Tags:32 exe StormKitty

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
https://tarjapreta.news/docs/ws.exe
Verdict:
Malicious activity
Analysis date:
2023-01-17 12:52:18 UTC
Tags:
stealerium evasion stealer asyncrat
Link:
https://app.any.run/tasks/38c0ab14-211b-4885-8fd2-2fb643c82c12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354274/
Detection(s):
SecuriteInfo.com.Variant.Lazy.280093.32552.15588.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Launching a process
Launching the process to change network settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63c874548352dc7065e3a47e/reports/07faf500-d15d-482c-8847-13340bcf6ba5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa0dfaec-c133-462b-b024-b3aaf23dc8a4
Result
Threat name:
AsyncRAT, StormKitty
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154233
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786965 Sample: 3ZCSmfAvnf.exe Startdate: 18/01/2023 Architecture: WINDOWS Score: 100 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 15 other signatures 2->76 8 3ZCSmfAvnf.exe 1 7 2->8         started        12 Rnts.exe 2->12         started        14 WindowsDataC.exe 2->14         started        16 2 other processes 2->16 process3 file4 56 C:\Users\user\AppData\Local\Temp\wwst.exe, PE32 8->56 dropped 58 C:\Users\user\AppData\Local\Temp\RunIt.exe, PE32 8->58 dropped 60 C:\ProgramData\WindowsDataC.exe, PE32 8->60 dropped 62 C:\...\WindowsDataC.exe:Zone.Identifier, ASCII 8->62 dropped 90 Creates multiple autostart registry keys 8->90 18 wwst.exe 15 111 8->18         started        23 RunIt.exe 1 3 8->23         started        25 WindowsDataC.exe 2 8->25         started        92 Multi AV Scanner detection for dropped file 12->92 94 Machine Learning detection for dropped file 12->94 signatures5 process6 dnsIp7 64 207.189.1.0.in-addr.arpa 18->64 66 api.telegram.org 149.154.167.220, 443, 49698, 49699 TELEGRAMRU United Kingdom 18->66 68 5 other IPs or domains 18->68 46 C:\Users\user\AppData\...\TQDFJHPUIU.xlsx, ASCII 18->46 dropped 48 C:\Users\user\AppData\...\KLIZUSIQEN.pdf, ASCII 18->48 dropped 50 C:\Users\user\AppData\...behaviorgraphIGIYTFFYT.xlsx, ASCII 18->50 dropped 54 2 other malicious files 18->54 dropped 78 Antivirus detection for dropped file 18->78 80 Multi AV Scanner detection for dropped file 18->80 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->82 88 5 other signatures 18->88 27 cmd.exe 18->27         started        30 cmd.exe 18->30         started        52 C:\Users\user\AppData\Local\Temp\Rnts.exe, PE32 23->52 dropped 84 Machine Learning detection for dropped file 23->84 86 Creates multiple autostart registry keys 23->86 file8 signatures9 process10 signatures11 96 Uses netsh to modify the Windows network and firewall settings 27->96 98 Tries to harvest and steal WLAN passwords 27->98 32 conhost.exe 27->32         started        34 chcp.com 27->34         started        36 netsh.exe 27->36         started        38 findstr.exe 27->38         started        40 conhost.exe 30->40         started        42 chcp.com 30->42         started        44 netsh.exe 30->44         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-01-16 12:10:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkwmcckyipnju2e7codgnnavedglfpnixygiwpgxgsw37iknm5da._file
Verdict:
malicious
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty botnet:default persistence rat spyware stealer
Link:
https://tria.ge/reports/230118-2h8xcsbf58/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops desktop.ini file(s)
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5980420064:AAHGrlOU2WsgF90Pcyz-L7wrGgC_Cj54k4Q/sendMessage?chat_id=806259874
Unpacked files
SH256 hash:
82e62dbfd6aa5df5162e2a6a9cd5a0dfb97f94fb5f5bf531ca9f974ec0464ae2
MD5 hash:
5224b9398f4ed7a52b85b432b3d50a04
SHA1 hash:
c7bfe32e841f87c2b15a8a9266ddb981e8786157
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/2e94f0cd-95d1-4d5e-a6d1-42dc67b4f61e/
SH256 hash:
9770561d2a27dbc16c230fe88af51f718d7d6274fcd63a3f109c381be848b4a9
MD5 hash:
d067619856f7f3079375960f62b99369
SHA1 hash:
964d548557dec3aa8e851526b71adca4b4ddbfd5
Link:
https://www.unpac.me/results/2e94f0cd-95d1-4d5e-a6d1-42dc67b4f61e/
SH256 hash:
e1712bd7590965b03e052f726e34510493450fe63a316f16a9c0bbb1f0bdad3f
MD5 hash:
b695b20791c9a531d6a743bb200bff59
SHA1 hash:
1ea85393d76abde1492a4734929dacd4eaf809b6
Detections:
AsyncRAT
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/2e94f0cd-95d1-4d5e-a6d1-42dc67b4f61e/
SH256 hash:
557b95dd825c117be2c8a2f349c77fe00ec435b74f06186de3e0faf621a21d26
MD5 hash:
d62738c5b70e275bc466879782327e6b
SHA1 hash:
9158d6589060f670a3db80c26cab850d630d0c57
Link:
https://www.unpac.me/results/2e94f0cd-95d1-4d5e-a6d1-42dc67b4f61e/
SH256 hash:
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746
MD5 hash:
c7fbe52e88456eabb4d4a1a1a0670cf4
SHA1 hash:
3b479f15645c31c7067c31aede6e1802093ac78b
Link:
https://www.unpac.me/results/2e94f0cd-95d1-4d5e-a6d1-42dc67b4f61e/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82acc1095843/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StormKitty

Executable exe 82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2511734/
Cape
Cape
https://www.capesandbox.com/analysis/354274/

Comments


Avatar
zbet commented on 2023-01-18 22:35:30 UTC

url : hxxps://tarjapreta.news/docs/ws.exe