MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8
SHA3-384 hash: f83273fcbaebc0e45a18aaeac1a812f4d73a156f8e402087960dd8a68dca9678d07649f1b3d35e3482425d1d015ecf3f
SHA1 hash: 1613953ba8a07e11e89ed77c28afe58d872891bb
MD5 hash: 87e8c813255d7a8768b98765cdcfed67
humanhash: green-connecticut-ceiling-wolfram
File name:9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8
Download: download sample
Signature StormKitty
Create hunting rule
File size:591'360 bytes
First seen:2023-08-08 12:25:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'654 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:25LbzIu9+r9GJ+iyhAGkFuT/r2GGjerRWvEF8xLCnysHu:25LA9IvGTqY/XueosF8xoy9
Threatray 6'230 similar samples on MalwareBazaar
TLSH T110C4226457474B13E59747F659202E3943BF5BDAB834E7830C83F3D46A81B922628F1B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8
Verdict:
Malicious activity
Analysis date:
2023-08-08 12:26:07 UTC
Tags:
snake
Link:
https://app.any.run/tasks/c0093494-686e-4e9e-8a61-865fae38f492

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441360/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.63718.19562.25296.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/64d2345b4154db2bd521d773/reports/bba77d50-5fe8-416b-a932-774bab369998/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c53e2a99-867f-47f1-a1dc-afe8d327ac7f
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287755
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 02:44:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tuvzhqqh5wl4y6zhfwu2ru4ia56zpxbytywa5fsf5el2uxygdgua._file
Verdict:
malicious
Similar samples:
24c43375fb726dbf16803dd6289d64984d9de0ed10f6bcc84e3f67b8a52c6904
StormKitty
2c6ab4d6d51bf64c0f95e9f3aba44d33886281974d9c594531be707ed9743cf0
StormKitty
45e9234add22c91058024b82e30c0b63571122e9c107b6e1d760c3cfaa4d7cbd
StormKitty
4e62540930b121dc5eb404032401ac2b37cd86b591e14c4404610a2e59f06b6d
StormKitty
64cfb742accf0ccd0d20225f5c16688dda0aa93aa005157f02f0249bf3fe298e
StormKitty
76a18e031d38dfddde065048a4371e0cb24d09d4a74d266b8e83af944833171a
StormKitty
9925d40e552d694f23587880808c8f53cb41ff2ef2fc5112f37aeaab7d1c6241
StormKitty
bf15bf7ad5e678a40cca28a50fbe8a4f4aa8b86f3480820d8c0178db3107cb15
StormKitty
bf36b9ac0998d56e00d4fa60997ba6105f5d9ace84c3e5949fe036d0315d9019
StormKitty
e51a6391514210d971a76cec2a5b8773344c36a57a2a850a678f3974abd5dc81
StormKitty
+ 6'220 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty keylogger spyware stealer
Link:
https://tria.ge/reports/230808-pl6vyscd87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5830566856:AAGWFy9uABhntGSW37Ll1sdhis_3Sq_arBM/sendMessage?chat_id=1467583453
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/99d18412-160e-4722-8f5b-81ae8e127a1d/
SH256 hash:
90b69bb62921ddeef8f4077bfcafdd2ac44c1114d12795a0b52798e371f5658f
MD5 hash:
61fc81522d7056c01aafd4007b20c7eb
SHA1 hash:
9d7e23d0d151f1b292d77e2cc611fcb3167f5bb1
Link:
https://www.unpac.me/results/99d18412-160e-4722-8f5b-81ae8e127a1d/
SH256 hash:
0c95a7d95e8d54553429006d59db23e1aefc7eb0aa811a438173168f2d445b31
MD5 hash:
7b24d053f3737c59f523f979a77a2930
SHA1 hash:
1013c577f40182cdc6a018d9f72e68e1ecb3c724
Link:
https://www.unpac.me/results/99d18412-160e-4722-8f5b-81ae8e127a1d/
SH256 hash:
9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8
MD5 hash:
87e8c813255d7a8768b98765cdcfed67
SHA1 hash:
1613953ba8a07e11e89ed77c28afe58d872891bb
Link:
https://www.unpac.me/results/99d18412-160e-4722-8f5b-81ae8e127a1d/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d2b93c207ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d2b93c207ed97cc7b272da9a8d388077d97dc389e2c0e9645e917aa5f0619a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/441360/

Comments