MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae66143bb6965a7f1122c8eb776085ce679d038b8dd886f954ecd5e45aff4664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

StormKitty

Vendor detections: 8

Intelligence 8 IOCs YARA 11 File information Comments

SHA256 hash:	ae66143bb6965a7f1122c8eb776085ce679d038b8dd886f954ecd5e45aff4664
SHA3-384 hash:	f4c7ea7c3c4256d106675073bb6d51e2d1ba5f83696c3cff78435e0488e5f98641e6342c2c741cbfc0d28c1b354bdfb1
SHA1 hash:	9408ef4871be3f46b343216cb0a8ed89ed9fd362
MD5 hash:	e2f4185f3f604fb455eecdc7335ba789
humanhash:	twelve-four-hamper-autumn
File name:	456.exe
Download:	download sample
Signature	StormKitty Create hunting rule
File size:	335'908 bytes
First seen:	2021-05-05 12:55:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep	6144:APX229SuE7v5dkKXo4UDbwjyG+P4lQs0DlxZL+D5:l291E7xdkGPjUP5ti1
Threatray	5'202 similar samples on MalwareBazaar
TLSH	776412A85616C0E7CB0342B11D7D2613AFAC8A0521D65247B7A0F75D77EB9E78C0FAC2
Reporter	abuse_ch
Tags:	exe StormKitty

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Detection:

StormKitty

Link:

https://www.capesandbox.com/analysis/150605/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.15528.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Sending a UDP request

Creating a file in the %AppData% subdirectories

Creating a window

Setting a keyboard event handler

Launching a process

Reading critical registry keys

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Creating a process from a recently created file

Creating a process with a hidden window

Deleting a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae66143bb6965a7f1122c8eb776085ce679d038b8dd886f954ecd5e45aff4664/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-05 12:56:10 UTC

AV detection:

17 of 47 (36.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vztbio5wsznh6ejczdvxoyefzztz2a4lrxmin6ku5tk6iwx7izsa._file

Verdict:

unknown

StormKitty

0f97e6f8d53f551a068c3651d0c684f2813ff870b5cad591d536342aaf46a38f

StormKitty

11db354a5d6b15b2aad9747f275e846283c9024a434d2f288e95abfd3ec7dfd7

StormKitty

222386adc9e4c25fd36319d0ad90f5e9eca14aa8cf3b3f3425dcb60a5fea4b30

StormKitty

3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83

StormKitty

4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0

StormKitty

77d69fc2f79de7f28dfe67e4cb6b7fa1e994a2a16831fd918d3dca53a523f2c1

StormKitty

ca5c84227de65ec7edf59848ac42f0558f11f9148196814d194570ef1e30dc83

StormKitty

d814af14bc2fb8e5a66fd36a327eaadaea29269967ed6af99dc7c9ff3f7b8f28

StormKitty

ed84be93b1bea6a1d4ed1e30d7d232d2bc6e85c480535f0b3dd94beccb2bf292

StormKitty

+ 5'192 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:stormkitty persistence spyware stealer

Link:

https://tria.ge/reports/210505-dag476kqej/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Loads dropped DLL

Reads local data of messenger clients

Reads user/profile data of web browsers

Executes dropped EXE

StormKitty

StormKitty Payload

Unpacked files

SH256 hash:

14b640780d92412c8ad2e3a759dd6535e345086c0b4d81e05da0fef2cea1846b

MD5 hash:

00e0bc958b7dea7ad118b5a8027a6f99

SHA1 hash:

46c09b6fdcbed184a3f78ebc408fbea1a544795e

Link:

https://www.unpac.me/results/16ec6ac2-d0ce-4ead-93e3-78ef496eb8a4/

SH256 hash:

ae66143bb6965a7f1122c8eb776085ce679d038b8dd886f954ecd5e45aff4664

MD5 hash:

e2f4185f3f604fb455eecdc7335ba789

SHA1 hash:

9408ef4871be3f46b343216cb0a8ed89ed9fd362

Link:

https://www.unpac.me/results/16ec6ac2-d0ce-4ead-93e3-78ef496eb8a4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae66143bb6965a7f1122c8eb776085ce679d038b8dd886f954ecd5e45aff4664

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_StormKitty Create hunting rule
Author:	ditekSHen
Description:	Detects StormKitty infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Stealer_word_in_memory Create hunting rule
Author:	James_inthe_box
Description:	The actual word stealer in memory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/150605/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample