MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d50091f2f374614a00ae73f14dabf529e887e1729da0903f59a09739f4c37e8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d50091f2f374614a00ae73f14dabf529e887e1729da0903f59a09739f4c37e8d
SHA3-384 hash: f65a540ae20466f17a1437bf153a0e8d59578d8c387e92aca885541d395569edeacc4e97b44304d6f992ecf5a7469eaf
SHA1 hash: 68c6df8e09222ae9d6df0e276bbc67389ce51e7a
MD5 hash: 9c352057471512025b97b4b824bdd553
humanhash: bravo-black-jupiter-moon
File name:TRANSFERIR COPIA.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:345'584 bytes
First seen:2022-10-04 12:50:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:MKfM3NUHb17PyUN25RVvoyGDDcbly+shCHHS/eOPkNa971hEbaFSkjiRrP9Nq:MJUHb17KH5TQwXsoHyeGYa+
Threatray 52 similar samples on MalwareBazaar
TLSH T195749334A1F16AC9EA96CEB78E60E649FFE78C829941821ED17039F201337C4D5495FE
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter malwarelabnet
Tags:BluStealer exe StormKitty

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316520/
Detection(s):
Win.Dropper.LokiBot-9969312-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching a process
Creating a file
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/633c2c011225171535537885/reports/ed4755a0-5cfe-4856-b83a-77b74c4d9221/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa879333-52e1-4398-97ee-fc8bc13654cf
Result
Threat name:
BluStealer, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083772
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected BluStealer
Yara detected Generic Downloader
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d50091f2f374614a00ae73f14dabf529e887e1729da0903f59a09739f4c37e8d/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-10-04 12:50:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2uajd4xtorquuafoopyu3k7vfhuipylstwqjap2zucltt5gdp2gq._file
Verdict:
malicious
Similar samples:
3aa7626c625be28b83463afd05ea7d530d1f88bda8eec08c457b39ab28d68965
StormKitty
3d70466e2cb7b2b051feb16750acb3b40af81f4595a0c0ffa865c13907820ca2
StormKitty
3de38766f1cab6abd8dc3927626542554e9b37f91ec16f6341e315a73a0aebf9
StormKitty
58bd321dd55e8d0d95a1dc5147329a08c64d91a6567d1ac8b4b7e2f1d5ee8803
StormKitty
6bbfa5ab7aa24cf9fe44b50930dc21142387d590c988004fdb0d3b40df3ed1fa
StormKitty
8c575aa5e93a77f506411780e84f57617a784605557c36053bc3535306509f03
StormKitty
a5e3197260ba1af2869c876321feddcaff9840446e5094d8e881e06732b27454
StormKitty
c4d1c39814d1e2d2aff5e0bd608585c6ff9c932c3480d73eb30310cf3c4be029
StormKitty
fad6952d13fe03d8e9a8f04e8168be03ce0b8deb45de91123fa82ff890aafc5f
StormKitty
+ 42 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection spyware stealer
Link:
https://tria.ge/reports/221004-p2xxzsahh5/
Behaviour
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
BluStealer
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5627356603:AAG-Mx0TbSHRRW6IwndrpX3VLZdhd6C-Zac/sendMessage?chat_id=5472437377
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/45c4fbd7-13b2-470e-82bc-1e7189847dab
Unpacked files
SH256 hash:
0e5227195e9d1a05ab468921089e31abce24707218d60b537632588a08180e8c
MD5 hash:
403fdf429b73646cf93564e9ba54a87f
SHA1 hash:
831dbea51781358d0e5cd4701bffbe7a08b18a34
Link:
https://www.unpac.me/results/112e3ea7-3d18-4573-9fba-077030205d08/
SH256 hash:
5fcd4e3a9fcbd19f89d73919311d52abdcf95994123942ac533e60a9f198e1d6
MD5 hash:
21080c64225c8f730626c293703cc378
SHA1 hash:
574eb72eefc0264c2149daae53fd26c5494b6071
Link:
https://www.unpac.me/results/112e3ea7-3d18-4573-9fba-077030205d08/
SH256 hash:
badbd1493abe1893c97defd839ed9c2fd40c742c9e6793b96b8c05ce6457a351
MD5 hash:
5fb2b1faf972f64390b86149569a9fcf
SHA1 hash:
43c6b0cf199f0bba2d6792d9a36b49ccdc5848f7
Link:
https://www.unpac.me/results/112e3ea7-3d18-4573-9fba-077030205d08/
SH256 hash:
d50091f2f374614a00ae73f14dabf529e887e1729da0903f59a09739f4c37e8d
MD5 hash:
9c352057471512025b97b4b824bdd553
SHA1 hash:
68c6df8e09222ae9d6df0e276bbc67389ce51e7a
Link:
https://www.unpac.me/results/112e3ea7-3d18-4573-9fba-077030205d08/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d50091f2f374/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d50091f2f374614a00ae73f14dabf529e887e1729da0903f59a09739f4c37e8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316520/

Comments