MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e9f338d922f809d4ecac31b1b2c1bc38de325e848782308997d76eef549951f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

StormKitty

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	9e9f338d922f809d4ecac31b1b2c1bc38de325e848782308997d76eef549951f
SHA3-384 hash:	d2af0326dafc8ec8c8d14193395cc6c494710b2b967b74d8be300b9ee85ee299a12b95b0559a28a99962c667bfcda06b
SHA1 hash:	7175df3680987e75f1ebb7430c8246400ebf71f4
MD5 hash:	873bfbea840976bb63f1e7eae546725e
humanhash:	carbon-princess-red-florida
File name:	SecuriteInfo.com.Trojan.PackedNET.1293.27162.15596
Download:	download sample
Signature	StormKitty Create hunting rule
File size:	676'384 bytes
First seen:	2022-12-09 10:30:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:k4uIrm6rLfOhXDBkyFhI8OZiLsyJ0If3+Nm3cxgU/ZzU:kv6rLClkyFhI8OZiIyJ1us3cxgU/Zz
Threatray	2'297 similar samples on MalwareBazaar
TLSH	T108E4955F29AA120DB261AD6C5BBCB131D15DFBF129364CB34DF7094A1112AF0CBAD722
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe StormKitty

Intelligence

File Origin

# of uploads :

# of downloads :

186

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/344667/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1293.27162.15596.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Сreating synchronization primitives

Creating a window

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated overlay packed vbc.exe

Link:

https://www.filescan.io/uploads/63930e2e04e0e79bdf41c566/reports/879b3fb2-69d2-46d1-9128-8e1c40b99e85/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5ba412ac-02e0-4269-b72e-8d2bb128dd17

Result

Threat name:

BluStealer, StormKitty

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1131336

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

Detected potential unwanted application

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected BluStealer

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9e9f338d922f809d4ecac31b1b2c1bc38de325e848782308997d76eef549951f/

Threat name:

ByteCode-MSIL.Infostealer.Stelega

Status:

Malicious

First seen:

2022-12-09 10:31:06 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t2pthdmsf6aj2twkymnrwla3yog6gjpijb4cgcezpv3o55kjsupq._file

Verdict:

malicious

StormKitty

1b756d9f63963c6272fa1873b1e5d25e569201c44f09f83b103b8ff2f99eb443

StormKitty

537eefdd89c53025ce3e521a0dde0d2dd99bcf94f6063fd6b0823e259c72a26d

StormKitty

946fa8826403d58c6694d18b89af7bf80c078f792f9aae820ac9ced395450f63

StormKitty

c6deef7825e9fc588ee77c25398896ac695e0c02c44276fc4382218807b01e17

StormKitty

f218fa4276e991739589e3f96b0abc8f53d499b88f2d824beedc01ce49e53bcc

StormKitty

f2ca13bec0a58da06631590d73880cce7dddf5f7b145ede8b63c6727839c14f3

StormKitty

+ 2'287 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:blustealer family:stormkitty collection spyware stealer

Link:

https://tria.ge/reports/221209-mjvnssch93/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Uses the VBS compiler for execution

BluStealer

StormKitty

StormKitty payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a4d21967-97fc-4fbe-bb5d-5e6b345ea2c1

Unpacked files

SH256 hash:

9e9f338d922f809d4ecac31b1b2c1bc38de325e848782308997d76eef549951f

MD5 hash:

873bfbea840976bb63f1e7eae546725e

SHA1 hash:

7175df3680987e75f1ebb7430c8246400ebf71f4

Link:

https://www.unpac.me/results/9ef564e7-229e-45d0-8211-a3b768491963/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9e9f338d922f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/9e9f338d922f809d4ecac31b1b2c1bc38de325e848782308997d76eef549951f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/344667/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample