MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca
SHA3-384 hash: fc79ce6568d7212e17b17113872cb83f4ca411d8995151306cd8df69bb0498f23113939247f0eaed9f7a19349939fe18
SHA1 hash: 8f189fbf88b37f162621a2c9ff9beccbc9ca89dd
MD5 hash: f0488ee0a101d9010d402e60f9ee6488
humanhash: july-massachusetts-one-mike
File name:Shipping Documents.pdf.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:562'176 bytes
First seen:2023-04-18 11:33:16 UTC
Last seen:2023-04-20 13:53:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:POnbqjcg9rDzcHeDgOJitLGEqzqqqYT7Yzu0fRCCJ:PJhpfhNidGtzqqqKdu
Threatray 192 similar samples on MalwareBazaar
TLSH T191C4D029D135ADF2E6AD0A76000039DDDF70A2E37473C63C0BA678DA9BAE7552D841C7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Documents.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 11:33:32 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/8c4bd847-6477-40c4-a9ad-1a366cfa3d4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382995/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643e802d48716a65fb204c42/reports/60d75cc0-66a7-4312-9a82-9bfa5c9a34e5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a60fa947-995b-4f25-bac9-0e39d8e12b6c
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215886
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 848813 Sample: Shipping_Documents.pdf.exe Startdate: 18/04/2023 Architecture: WINDOWS Score: 100 44 checkip.dyndns.org 2->44 46 checkip.dyndns.com 2->46 58 Snort IDS alert for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 12 other signatures 2->64 8 Shipping_Documents.pdf.exe 7 2->8         started        12 iHvQVNENgzR.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\iHvQVNENgzR.exe, PE32 8->36 dropped 38 C:\Users\...\iHvQVNENgzR.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp5024.tmp, XML 8->40 dropped 42 C:\Users\...\Shipping_Documents.pdf.exe.log, ASCII 8->42 dropped 66 May check the online IP address of the machine 8->66 68 Uses schtasks.exe or at.exe to add and modify task schedules 8->68 70 Adds a directory exclusion to Windows Defender 8->70 14 Shipping_Documents.pdf.exe 15 2 8->14         started        18 powershell.exe 21 8->18         started        20 powershell.exe 21 8->20         started        26 2 other processes 8->26 72 Multi AV Scanner detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 76 Injects a PE file into a foreign processes 12->76 22 iHvQVNENgzR.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 48 checkip.dyndns.com 132.226.8.169, 49700, 80 UTMEMUS United States 14->48 50 checkip.dyndns.org 14->50 56 2 other IPs or domains 14->56 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        52 132.226.247.73, 49702, 80 UTMEMUS United States 22->52 54 checkip.dyndns.org 22->54 78 Tries to steal Mail credentials (via file / registry access) 22->78 80 Tries to harvest and steal browser information (history, passwords, etc) 22->80 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-18 07:05:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=voojc7qsevr6dqyiexkwgdduuzt7kwirfesmtoxfwbcfmbzrghfa._file
Verdict:
malicious
Similar samples:
1e73aae6a487b8bd66f0faf160523ff271831de6039de29b5e93289bab655382
StormKitty
5088e12afee933210f05783a3a9fe64d8491142988107daa84c3628f79af185a
StormKitty
52208dce9b01e32cd33278444f09b15ba8163a919c73d3d5e33401ce6520c7d2
StormKitty
80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
StormKitty
8c3a54283aca092b244c89ebb641bb372808b3e51b752936dfbea95dc32eeb95
StormKitty
cfe9a5c61a337677133e024d05f571e038c970fac99e7a9c4c96a6f13d1d0d84
StormKitty
d298c16cc5f3bc92be81294b9d7b4b23d1be22742956b824dac7dc109dde7e35
StormKitty
ee79d711f50c08fc3f58d643b0974e2030d5f6f0479a5e000eaef3940f099636
StormKitty
f128c12c1f7a5f1d321e716497c03def8bc09e6efb47fa900f134a81559d3ffa
StormKitty
fe67815ee34cf630592fdbbcdc8e18b460b6dcaf6cbfb4bce9c5d7d4c453e491
StormKitty
+ 182 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger spyware stealer
Link:
https://tria.ge/reports/230418-npgjssch3t/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6029559841:AAEqr8_NCfqapJgAzw8PoPbqoCosnsk1VO0/sendMessage?chat_id=6033043077
Unpacked files
SH256 hash:
98fd9397d874c45f71972e9d2e2fb5aa6994770e82031bf3bdfeaa4413b27811
MD5 hash:
866ca10ba59a4542850df2b41701e1a1
SHA1 hash:
e13b14c173fc685ff607c17129521a13d17860ff
Link:
https://www.unpac.me/results/25a1a7a5-1b7b-4e2d-9ac3-c77ad4a58699/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/25a1a7a5-1b7b-4e2d-9ac3-c77ad4a58699/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/25a1a7a5-1b7b-4e2d-9ac3-c77ad4a58699/
SH256 hash:
9715f9c6d52ef05dd9849b8794b1cdb9b01a428d1def4218d3c84428685e5978
MD5 hash:
614f5d65d63e8c11790dd947e5e3fba7
SHA1 hash:
51854a5f8b98b40b6179489d487b0561a019ebb7
Link:
https://www.unpac.me/results/25a1a7a5-1b7b-4e2d-9ac3-c77ad4a58699/
SH256 hash:
b7a96333a6c25856272fe11630d560a2657e17adfe291f3fd0a0124d5b7cfaaf
MD5 hash:
be431dba0ba422997a0e3d2cb30e7f8a
SHA1 hash:
4de5a3f0c52abdf440d80bf6d5faa3f0220209fc
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/25a1a7a5-1b7b-4e2d-9ac3-c77ad4a58699/
Parent samples :
ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca
39f277905df11e6a2050a482ecd4f274e4dc8a1fd3e936dd5f3cc4b6b9841dfc
b7a96333a6c25856272fe11630d560a2657e17adfe291f3fd0a0124d5b7cfaaf
21777e7d8c275e5e9fc22a08172bfd5b9872340f46523df83bf2dd7a4b611dd2
ae5276221d11792a6242379a4111aa92c79256724b593408e8a02b585279b94e
a44320330ed902d953b355c6f795742ff5f0c0f0548ded9cb2e5edfd7e255502
fa7d933860e3500a28e659fcdf620b877bc3ddf20b8b99ccadfd261219492d4a
de567e5c1f4968bfb083ffcb111e1d0613780a47c58767af65fbd90c27507b4b
SH256 hash:
ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca
MD5 hash:
f0488ee0a101d9010d402e60f9ee6488
SHA1 hash:
8f189fbf88b37f162621a2c9ff9beccbc9ca89dd
Link:
https://www.unpac.me/results/25a1a7a5-1b7b-4e2d-9ac3-c77ad4a58699/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

StormKitty

Executable exe ab9c917e122563e1c30825d5630c74a667f559112924c9bae5b04456073131ca

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382995/

Comments