MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a
SHA3-384 hash: 7d89c645c4ac5d9d618dcc9253357d185f74c613eff146d3ee9d1686348c9836cc608699a83ccf9754b18a6207353ffb
SHA1 hash: 46af249ebd3f721b92fa350cf946f16752f208ec
MD5 hash: 21f93cfd5719b49dc5567768d441e190
humanhash: berlin-pluto-table-angel
File name:SecuriteInfo.com.Variant.Strictor.275982.17204.7010
Download: download sample
Signature StormKitty
Create hunting rule
File size:682'420 bytes
First seen:2022-10-26 07:26:04 UTC
Last seen:2022-11-08 14:18:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 12288:8aJcmptCO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHb:8aGOCZlT+lQTD/O3BArRCHb
Threatray 258 similar samples on MalwareBazaar
TLSH T127E4DE3629738005FFFDC138BDD17380826879BE9CC95F96DA41BACA35B72C646704A2
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 66c29abaaaaaaa86 (20 x AgentTesla, 10 x Formbook, 7 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
2
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Strictor.275982.17204.7010
Verdict:
Malicious activity
Analysis date:
2022-10-26 07:29:18 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/99228b99-062c-456d-9d52-87d73f42f021

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324258/
Detection(s):
SecuriteInfo.com.Variant.Strictor.275982.17204.7010.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45576/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LockBit Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c19f6e8-664d-4c09-ab75-ef39600f2a72
Result
Threat name:
BluStealer, MicroClip, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1098141
Signature
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected BluStealer
Yara detected MicroClip
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 04:48:59 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrrrewhrnmdc3o6dy3pbyxjhw4t6lrzxl7p7te5ckl64tcaug5va._file
Verdict:
malicious
Similar samples:
4ae67a52de5f2bcaea6c9158b4b2dfd3b2953885c34063547b736a4a1096fcb2
StormKitty
51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f
StormKitty
594d61a4bcbcc6503743aae78c47f798557492ba9c0704c3aa188f528b50c5e3
StormKitty
67dfdca1a2d42035d8ef9bde053531051793e2f13e30b8f1fe0a81fdd52e99fb
StormKitty
8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5
StormKitty
a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3
StormKitty
d5edadd969395a3c5fd2a2cf9832684b11680480b5ca75b464988cff244a6d6d
StormKitty
d6184367b93e40e22f209756274697796820542d46d80ef74d810b2b8785bedd
StormKitty
dc6132f9c63cd966c76790f0761299f92c31684197e40a949c4e1eb9a539bfc8
StormKitty
+ 248 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection persistence stealer upx
Link:
https://tria.ge/reports/221026-h94beafac7/
Behaviour
Checks processor information in registry
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
BluStealer
StormKitty
StormKitty payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/077c37e0-818d-4932-90bc-cd5b748ab33b
Unpacked files
SH256 hash:
f2d65c7accf19a33302aea7cc6920ff962f72b919d611a09265fe200e6660fa6
MD5 hash:
d2ebc72ca384da22d71969ea7a806328
SHA1 hash:
aae3f8f49cc864b3da1db7323b65a9c959ef3d22
Link:
https://www.unpac.me/results/865a49f3-32df-4145-8bbc-d9294a6dd331/
SH256 hash:
595f8e51fbe326d278c78011343470ce97f5d655ad657023a4ba5edc79006a4d
MD5 hash:
afd61ed83d724ee7e4459b7526109c2f
SHA1 hash:
458f66512e5ba13b3777266528767935fa57028e
Link:
https://www.unpac.me/results/865a49f3-32df-4145-8bbc-d9294a6dd331/
SH256 hash:
2c69fe2898ce412d556be0fae6b669a779f8fd19809e7ec823b2ba6e7e781d04
MD5 hash:
bdb26634ec85b2cac460f13b429f1cea
SHA1 hash:
bdc5e5c4968f270f8d5fbdf7c441a4b598e54a4a
Detections:
win_agent_tesla_g2
Create hunting rule
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/865a49f3-32df-4145-8bbc-d9294a6dd331/
SH256 hash:
8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a
MD5 hash:
21f93cfd5719b49dc5567768d441e190
SHA1 hash:
46af249ebd3f721b92fa350cf946f16752f208ec
Link:
https://www.unpac.me/results/865a49f3-32df-4145-8bbc-d9294a6dd331/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324258/

Comments