MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd38bbc0668699fe1761de97d8dd736321a219e5cf99767bb1f0dd81a2c03bcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd38bbc0668699fe1761de97d8dd736321a219e5cf99767bb1f0dd81a2c03bcc
SHA3-384 hash: 6326d49d66607a04bf51586c6f2f44b05d473f0e411ef014aa618b2faf0c915d3fa83fd7625e803bad75adc3aad80b53
SHA1 hash: e7a80eac4bcc6fbc8e7781d0f62d6807edbf3baf
MD5 hash: da1eb258ebce6a56bb005da137e7ad39
humanhash: arkansas-colorado-ceiling-mexico
File name:41570002689_20220922_05393480_HesapOzeti.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:888'832 bytes
First seen:2022-09-22 10:31:51 UTC
Last seen:2022-09-25 17:53:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:klDZQS57JF2fvAcxD9E0QaBNj6iumhTh9GwKuCpcVz+RfwWbjvNYugmv9uE6kfYy:aZt7v2fvdbhBNjthT6WJVQLjz
Threatray 896 similar samples on MalwareBazaar
TLSH T19F159D693695668FC017DD7989E0DDB0A7686C63A217C28352C73C1FF86E6D6CB103A3
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3431365d4d5a6218 (8 x AgentTesla, 5 x StormKitty, 1 x Formbook)
Reporter abuse_ch
Tags:exe geo StormKitty TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
41570002689_20220922_05393480_HesapOzeti.exe
Verdict:
Malicious activity
Analysis date:
2022-09-22 10:35:18 UTC
Tags:
evasion stealer quasar
Link:
https://app.any.run/tasks/01666263-33c3-4825-a06a-c4aad223c1da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312310/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.3126.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632c39eb39767769653c028c/reports/dfc50278-c49a-4887-a915-e5870b86a479/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5b16c8ad-86a0-4ab7-945d-0320fccc455b
Result
Threat name:
BluStealer, DarkCloud, SpyEx, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075187
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BluStealer
Yara detected DarkCloud
Yara detected Generic Downloader
Yara detected SpyEx stealer
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 707733 Sample: 41570002689_20220922_053934... Startdate: 22/09/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Sigma detected: Scheduled temp file as task from temp location 2->40 42 Yara detected DarkCloud 2->42 44 9 other signatures 2->44 7 41570002689_20220922_05393480_HesapOzeti.exe 7 2->7         started        process3 file4 26 C:\Users\user\AppData\Roaming\kXeGkF.exe, PE32 7->26 dropped 28 C:\Users\user\...\kXeGkF.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmpED97.tmp, XML 7->30 dropped 32 41570002689_202209..._HesapOzeti.exe.log, ASCII 7->32 dropped 54 Uses schtasks.exe or at.exe to add and modify task schedules 7->54 56 Adds a directory exclusion to Windows Defender 7->56 11 41570002689_20220922_05393480_HesapOzeti.exe 1 7->11         started        14 powershell.exe 20 7->14         started        16 schtasks.exe 1 7->16         started        signatures5 process6 signatures7 58 Writes to foreign memory regions 11->58 60 Allocates memory in foreign processes 11->60 62 Injects a PE file into a foreign processes 11->62 18 AppLaunch.exe 15 3 11->18         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        process8 dnsIp9 34 icanhazip.com 104.18.115.97, 49702, 80 CLOUDFLARENETUS United States 18->34 36 55.235.10.0.in-addr.arpa 18->36 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->46 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->48 50 May check the online IP address of the machine 18->50 52 2 other signatures 18->52 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd38bbc0668699fe1761de97d8dd736321a219e5cf99767bb1f0dd81a2c03bcc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 10:32:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zu4lxqdgq2m74f3b32l5rxltmmq2egpfz6mxm65r6doydiwahpga._file
Verdict:
malicious
Similar samples:
02a1835ea805bb1a6ca8d1706fa5a811279ec3fcb1524eb83cfa60f0314cf0dd
StormKitty
3e1cab8195206e7bf50b34dde56656e54ab25af5fe4136f1f76fc60f7664fd79
StormKitty
3e2842c40ff26c60b69e08934b9b80fefe0cd2d091fbd6fa91a2b97f3487137c
StormKitty
8d2a3a13d533b4814c2717a0cae7c17582130b1fa4451f3d64c1df35e6d69ed9
StormKitty
a29933d22324521ab3f6fccd48df10ae472f62e73ada2f6550d971322594e071
StormKitty
beb46012919018735132f1ca08c31ac870b2be20e97a4b3fac463616c5504fa0
StormKitty
d361d688e58fafb99967afc805bd203c1f743a113b8c76c7e94b2960f40b285d
StormKitty
e1f1f72698aa8762305e8d324a04608fda13f7a416f2a5a7fcbad843cff138cc
StormKitty
+ 886 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection stealer
Link:
https://tria.ge/reports/220922-mkyf3sehgm/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
BluStealer
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f585a723-5930-401d-b0ff-8c11aa95439e
Unpacked files
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/2134d3fc-245b-490b-ac73-457929b95917/
SH256 hash:
80183887dbbfaad672e8fa3c839289952d4babfce6ebe1c2cbecf9a43cd08ef8
MD5 hash:
ae9ed1f4c4d1a28b8f590d5872fb8242
SHA1 hash:
2f4de5eeb68f3037246833f5d102db8fb160e178
Link:
https://www.unpac.me/results/2134d3fc-245b-490b-ac73-457929b95917/
SH256 hash:
edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e
MD5 hash:
574597554c69083c1af2b742a97a92b6
SHA1 hash:
043eea660b8650c5a0042f842fd8db3516d37a2c
Link:
https://www.unpac.me/results/2134d3fc-245b-490b-ac73-457929b95917/
SH256 hash:
cd38bbc0668699fe1761de97d8dd736321a219e5cf99767bb1f0dd81a2c03bcc
MD5 hash:
da1eb258ebce6a56bb005da137e7ad39
SHA1 hash:
e7a80eac4bcc6fbc8e7781d0f62d6807edbf3baf
Link:
https://www.unpac.me/results/2134d3fc-245b-490b-ac73-457929b95917/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd38bbc06686/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd38bbc0668699fe1761de97d8dd736321a219e5cf99767bb1f0dd81a2c03bcc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312310/

Comments