MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b
SHA3-384 hash: 317d9a864e6406ac84e07c368e93f05ca817cc027d7208bcfd36bcb3d67abe44fca9f9a2b227b971db653c8a1f371ffd
SHA1 hash: 8cb3a7e1feb699ffbc168c31f39f17e60b567cd6
MD5 hash: 79caafc8894b767c5553379e4aacc563
humanhash: oranges-nebraska-kentucky-mobile
File name:StormKittyBuild (3).exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:317'440 bytes
First seen:2025-03-04 05:33:02 UTC
Last seen:2025-03-04 05:33:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:GnxWaRYPKWH9u9A5NsYrmN3z/AIKiqojhof04NuCi3t9I/B+TlN:GxWW0K69wAIYS78fs4eD
Threatray 303 similar samples on MalwareBazaar
TLSH T10E641278389AA65FCAC573FE988CDF6C56F139228926D31FD04E27610D4E7B502421BE
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 70e8f0f0f0f0f030 (4 x Formbook, 4 x StormKitty)
Reporter skocherhan
Tags:exe github-shram88 StormKitty


Avatar
skocherhan
https://github.com/shram88/test1/raw/refs/heads/main/StormKittyBuild%20(3).exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
452
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
StormKittyBuild (3).exe
Verdict:
Malicious activity
Analysis date:
2025-03-04 05:40:17 UTC
Tags:
evasion github confuser discordgrabber generic stealer xor-url
Link:
https://app.any.run/tasks/9d5c0f40-68ec-4358-ad4f-dd8fe6a243b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Bulz-9769773-0
Create hunting rule

Win.Packed.Bulz-9769834-0
Create hunting rule

Win.Malware.Bulz-9778250-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c6913ac668b65489bede59
Tags:
infosteal packed kitty sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Сreating synchronization primitives
Enabling the 'hidden' option for analyzed file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuser confuserex net obfuscated obfuscated packed packed packer_detected stormkitty
Link:
https://www.filescan.io/uploads/67c690b03c5f644bd941abfb/reports/cf0b60da-7ed0-4354-bdd2-a7e94a34a9f3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ad62fced-0d7f-4e65-9f66-a23b0d6407bd
Result
Threat name:
AveMaria, Clipboard Hijacker, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1628817
Signature
Antivirus / Scanner detection for submitted sample
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AveMaria stealer
Yara detected Clipboard Hijacker
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-03-04 05:33:39 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
10
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rre22gwbpxgki255qxkufehjfk2fkyx2x5iy42prj35gvakpmufq._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
Similar samples:
21c6dd94577eb8a7f102656f638e4bdbac0fdb457c6dbd902a474b9c8b42a201
StormKitty
88980f12a43d1ecbd3ba92bc34ecda751e668d0fc3b5bd2e6d1546a6a1124233
StormKitty
8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b
StormKitty
a3c7eabd9cfb545adb2731670d97fe9ec7d8afe29db7f7a31827bdc13e0e4a85
StormKitty
c1aa2ba105b38478e089d1cd18c4f7bc91249fd98483a08a80fd84e14af9d811
StormKitty
e8f17b452f74021b5251a084646034f48d2366a74ae2b62f5173b70005b8a716
StormKitty
error
StormKitty
+ 293 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:stormkitty stealer
Link:
https://tria.ge/reports/250304-f87lbsslx6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
StormKitty
StormKitty payload
Stormkitty family
Verdict:
Malicious
Tags:
red_team_tool stormkitty stealer Win.Packed.Bulz-9769773-0 external_ip_lookup
YARA:
HKTL_NET_GUID_StormKitty SUSP_NET_NAME_ConfuserEx MALWARE_Win_StormKitty
Link:
https://app.threat.zone/submission/8b6cd1f6-9cf9-4cc7-a9fd-143620dcfbda
Unpacked files
SH256 hash:
8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b
MD5 hash:
79caafc8894b767c5553379e4aacc563
SHA1 hash:
8cb3a7e1feb699ffbc168c31f39f17e60b567cd6
Detections:
StormKitty
Create hunting rule
Link:
https://www.unpac.me/results/c8a331b7-2387-476a-9efb-d06140f37d51/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HKTL_NET_GUID_StormKitty
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects c# red/black-team tools via typelibguid
Reference:https://github.com/LimerBoy/StormKitty
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments