MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a98672cd9e7ea3c969d9cd5d2dd1f941e8a421fc3b8a8e8cebfa2f418550a2d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 8


Intelligence 8 IOCs YARA 13 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a98672cd9e7ea3c969d9cd5d2dd1f941e8a421fc3b8a8e8cebfa2f418550a2d2
SHA3-384 hash: 19b3c0c07170b7ad2119b8c7d152586d5482789c5d4b5ef656dd51c4acfc33b9b05cf7b223c8e71ea9b6efd2a1905a93
SHA1 hash: b12ec5870ed4874724270c9b540b9e1dbfb3e1a7
MD5 hash: 15b5bb40a1bfaa661e6f0222df49d7d5
humanhash: bravo-indigo-carpet-ten
File name:IMG_INVOICE_6628862572.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:1'122'939 bytes
First seen:2021-05-06 07:19:20 UTC
Last seen:2021-05-06 08:15:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 24576:xFO+6bkSGAULH5A8yc7/cvVT8ZEXwvqEj+xhFBo:xFOUcUD5VH7/1Z6wdjaS
Threatray 978 similar samples on MalwareBazaar
TLSH 4B352321E3C284C4C250127055FBDE49267B7E556CA36C57B2A8BB183CF368F652AE37
Reporter abuse_ch
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
3
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
StormKitty
Create hunting rule
Link:
https://www.capesandbox.com/analysis/151402/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.31266.2812.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Forced shutdown of a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/713353
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Generic Dropper
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 405602 Sample: IMG_INVOICE_6628862572.exe Startdate: 06/05/2021 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Yara detected StormKitty Stealer 2->47 49 Yara detected Generic Dropper 2->49 51 5 other signatures 2->51 7 IMG_INVOICE_6628862572.exe 18 2->7         started        process3 file4 21 C:\Users\user\AppData\...\l4h8izefa6.dll, PE32 7->21 dropped 53 Maps a DLL or memory area into another process 7->53 11 svchost.exe 1 20 7->11         started        signatures5 process6 dnsIp7 23 secure.emailsrvr.com 173.203.187.10, 465, 49771 RACKSPACEUS United States 11->23 25 192.168.2.1 unknown unknown 11->25 55 System process connects to network (likely due to code injection or exploit) 11->55 57 Sample uses process hollowing technique 11->57 59 Tries to steal Crypto Currency Wallets 11->59 61 Installs a global keyboard hook 11->61 15 AppLaunch.exe 15 3 11->15         started        19 InstallUtil.exe 14 16 11->19         started        signatures8 process9 dnsIp10 27 146.215.12.0.in-addr.arpa 15->27 29 icanhazip.com 104.22.19.188, 49735, 80 CLOUDFLARENETUS United States 15->29 31 api.mylnikov.org 172.67.160.130, 443, 49737 CLOUDFLARENETUS United States 15->31 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->37 39 May check the online IP address of the machine 15->39 41 Tries to steal Instant Messenger accounts or passwords 15->41 43 2 other signatures 15->43 33 api.anonfile.com 45.148.16.46, 443, 49762 OBE-EUROPEObenetworkEuropeSE Sweden 19->33 35 anonfiles.com 104.21.60.53, 443, 49763 CLOUDFLARENETUS United States 19->35 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a98672cd9e7ea3c969d9cd5d2dd1f941e8a421fc3b8a8e8cebfa2f418550a2d2/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 07:20:16 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgdhftm6p2r4s2ozzvos3upzihukiip4hofi5dhl7ixudbkqulja._file
Verdict:
unknown
Similar samples:
218e44916d241d9951bc48824cf40cbd6f7798b7e54d6feb5ec5dfbaff222b30
StormKitty
222386adc9e4c25fd36319d0ad90f5e9eca14aa8cf3b3f3425dcb60a5fea4b30
StormKitty
3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83
StormKitty
3aa7ff3796ff778b0792bd69b9f8aa0cb09f133e415134f85c8dd174c8e8382f
StormKitty
8e122a7da836e05e954001c5f6e2209aa5e0835ea7af0e08e324e538a075f364
StormKitty
aba011b5f83793cebc1cfb4a1ef3aecbba7a3ea766abb459363b2d8bb51f3866
StormKitty
d171f74f5d0cb8a469db9262869b3798ae0ed18098b4017207ff7f6e69fcd07a
StormKitty
da3f2156d9c0809395cf299e9818a43849a62226ab3b95fcdc0abd4eda78b3a6
StormKitty
e6678504db885f9146a19df19cf75d3db24776c247c3eabca6f6160f57f5d68e
StormKitty
f27dfa34490a595f8ad99b083d4b0e3147b183c651e41760b038339e441b8582
StormKitty
+ 968 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:stormkitty spyware stealer
Link:
https://tria.ge/reports/210506-ear9kpnpts/
Behaviour
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
StormKitty
StormKitty Payload
Unpacked files
SH256 hash:
5781e8faaf89a54a859e346060b836bf0b4ee79d6af2d1d09a239bd6d5803cc6
MD5 hash:
d9912a643a04b4665d01f4dbf631be56
SHA1 hash:
d5f9fe1bfcd275e304cf13616e0b6f3ff7a09300
Link:
https://www.unpac.me/results/88042ba6-a70b-4b92-b4db-aea76362f144/
SH256 hash:
a98672cd9e7ea3c969d9cd5d2dd1f941e8a421fc3b8a8e8cebfa2f418550a2d2
MD5 hash:
15b5bb40a1bfaa661e6f0222df49d7d5
SHA1 hash:
b12ec5870ed4874724270c9b540b9e1dbfb3e1a7
Link:
https://www.unpac.me/results/88042ba6-a70b-4b92-b4db-aea76362f144/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/a98672cd9e7ea3c969d9cd5d2dd1f941e8a421fc3b8a8e8cebfa2f418550a2d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_TOOL_PWS_SharpWeb
Create hunting rule
Author:ditekSHen
Description:detects all versions of the browser password dumping .NET tool, SharpWeb.
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151402/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 08:07:27 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0045] File System Micro-objective::Copy File
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [E1510] Impact::Clipboard Modification
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process