MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dda40af7e530bf5744b1ae2219bcf10b8457f18c6a8ef39e9423badaf30beec4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dda40af7e530bf5744b1ae2219bcf10b8457f18c6a8ef39e9423badaf30beec4
SHA3-384 hash: 898eef9033ef80da91c02fe7ae1bb686c6b0348edd069cd26d5453dcfa7bb4659e56dec63cda1e3aa9f1a489c8742dfa
SHA1 hash: a078c177c1defb15aabd2a36b13b8894cda439f2
MD5 hash: d11c83b988df04a4c28f9d13f541e62a
humanhash: river-chicken-coffee-angel
File name:hesaphareketi-01.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:1'206'272 bytes
First seen:2022-09-26 08:27:48 UTC
Last seen:2022-10-04 14:38:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:mVqvrjjHby/Wuw2YJ5RH/KTuowkP4Ylib+vektHuxqilKlFL4JEgm3FyEgUiGa:1v7aYVCwkQd+xtOxxE6ENFy
Threatray 1'122 similar samples on MalwareBazaar
TLSH T12A45C091068CADC7D0533A705C72DEF1066EEEE46221C10A3BC77F2FF473A662666949
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 95951126d64e0719 (8 x AgentTesla, 6 x StormKitty, 4 x Formbook)
Reporter abuse_ch
Tags:exe geo StormKitty Telegram TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313503/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633162e3da5bfff0bb76a28d/reports/d40e65a7-94ba-4817-96b7-01f322c4cfdb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56d8ca6c-1eee-4e5c-87d6-b81cc422c29b
Result
Threat name:
BluStealer, SpyEx, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1077300
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected BluStealer
Yara detected Generic Downloader
Yara detected SpyEx stealer
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 709850 Sample: hesaphareketi-01.exe Startdate: 26/09/2022 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 Sigma detected: Scheduled temp file as task from temp location 2->41 43 11 other signatures 2->43 7 hesaphareketi-01.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\Roaming\hWxKhpT.exe, PE32 7->25 dropped 27 C:\Users\user\...\hWxKhpT.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmp6AD0.tmp, XML 7->29 dropped 31 C:\Users\user\...\hesaphareketi-01.exe.log, ASCII 7->31 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 55 Adds a directory exclusion to Windows Defender 7->55 11 hesaphareketi-01.exe 1 7->11         started        13 powershell.exe 21 7->13         started        15 schtasks.exe 1 7->15         started        signatures5 process6 process7 17 AppLaunch.exe 15 3 11->17         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        dnsIp8 33 icanhazip.com 104.18.115.97, 49697, 80 CLOUDFLARENETUS United States 17->33 35 53.123.9.0.in-addr.arpa 17->35 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->45 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->47 49 May check the online IP address of the machine 17->49 51 2 other signatures 17->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dda40af7e530bf5744b1ae2219bcf10b8457f18c6a8ef39e9423badaf30beec4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 08:28:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wsav57fgc7vorfrvyrbtphrbocfp4mmnkhphhuueo5nv4yl53ca._file
Verdict:
malicious
Similar samples:
52431707738f4962e6d465b66c5a8d56d36b0edbcbc268002bc56c6f4b40a4d2
StormKitty
835895ee89c69f1fd6b85b8b755d4ec1ae178bfa90a2a056b684b7dd43131f05
StormKitty
9fd17bb86920c52db8ddcbd18efb3725f5570db182676fa678756cc3d3e11c9d
StormKitty
aa42f20183026e8912e487dc655d4459e8e37e3743cdc7753dc60fa712d8117f
StormKitty
b1e886e95c76a7a0dccc3d15bc383bc4e87ec8b8d37e83d77c12b139d57e6d9f
StormKitty
c1b1bb430d273c5d98ee403072a3eb65ea39a0d0328e495d5cc5963d29e236d5
StormKitty
cd38bbc0668699fe1761de97d8dd736321a219e5cf99767bb1f0dd81a2c03bcc
StormKitty
db1446aa0758623a0dcebe15dd6742166f391ed938914b3e8339188b21513ebc
StormKitty
de0e6d11cb1128871933d5d7151b0b8d2a26e642e0eb5dfd3680fc710f4c0629
StormKitty
e8911ed914364aaa1dbffcfe55c53e2932e9f38ea490523a8bcaf8e13633187a
StormKitty
+ 1'112 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:blustealer family:stormkitty collection stealer
Link:
https://tria.ge/reports/220926-kcz9laaag8/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
BluStealer
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5412597166:AAGUaWxuTxxhNb-NRhiURcTMzuW9nhGoEs/sendMessage?chat_id=932962718
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7f40f1cb-7f4b-41fc-b070-ddef409e9354
Unpacked files
SH256 hash:
6c2aced69d26d8f68c91cf25ff69c2a7971a15ed099a31384f473ed53b85ef2f
MD5 hash:
3808f2a297cdac1e23f9d33091b3ca9a
SHA1 hash:
c72f8d288ad8f2505d20a0314cd027cdbfda2e8b
Link:
https://www.unpac.me/results/fcd06af4-4bce-4452-955d-eece8ffa6eb0/
SH256 hash:
e88a5e6bdede20e8874eb9570e626dd84181349050da2d2108213cbe10f22356
MD5 hash:
0a9715a586d2269fa1c5886a81619e12
SHA1 hash:
3fe6173dfb1f5ba7cf7a9f6637387662fad0809a
Link:
https://www.unpac.me/results/fcd06af4-4bce-4452-955d-eece8ffa6eb0/
SH256 hash:
8ee239033b224376b182195f8b6576409655a2634d5927bd8c421838dfd01d40
MD5 hash:
5ff6db913929226918a69c27145c55a0
SHA1 hash:
ea1f5a9d604bc79c55de468deb4adfa384a6793e
Link:
https://www.unpac.me/results/fcd06af4-4bce-4452-955d-eece8ffa6eb0/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/fcd06af4-4bce-4452-955d-eece8ffa6eb0/
SH256 hash:
edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e
MD5 hash:
574597554c69083c1af2b742a97a92b6
SHA1 hash:
043eea660b8650c5a0042f842fd8db3516d37a2c
Link:
https://www.unpac.me/results/fcd06af4-4bce-4452-955d-eece8ffa6eb0/
SH256 hash:
c09affd5fddb9ca441374ffb348376e6f25b9fc4ffa7e4da29fbbdca4c32c043
MD5 hash:
f77ab6497bbf34bc635dc4f790c02ead
SHA1 hash:
416e499335a6dda176d50f532a4c7f067d1d178f
Detections:
win_agent_tesla_g2
Create hunting rule
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/fcd06af4-4bce-4452-955d-eece8ffa6eb0/
Parent samples :
a4d4f86889b389430e83bf9d7829e1c9488ac55bd4f9d226e1cc739fe43e54ec
2b661a8e53810cefbc9c2bb09e3aeea5607e6195160f3902bbf2ea7581ec82b5
836cd10659a3fca29d754c77b76c305f6a829e3f44efd9672b82c217628c49eb
66c646381997538bca27a7468229257a02527852ac897ca04d6ea52c3cad82ac
8a1902d9c0dbe388b28ef5a9c8ec4c0f1802fc6ccd43471ea337dcb3d71c81d4
308f40c19bcd4f58f5dc1e83713d91a80a2ac8f78b5e03501db556f94c946149
284ce975050009d5c7bce4ad0c02f03a4cf70bad620e10822a4f4ad65e567127
29dbbf1bffa1c271158334e05721f8a7fb76513d5ba0d8c5a5abe267cccdbe4b
e68526e8ebc0cb1342ed01317aa6966d83bea1b71b1285b55b653a512200304c
d178525a986175d484866facf95baa1573a63a1060e5a06346ee4da4932df656
d5adba5715cd10a3c9dcf11d7ab1e30834050eef7513bda558bfe39a53a364ac
6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf
b5141a3c6323449bc7fc031d6eb2073fcbe97754c46eef0d0d8f937b9c2fb5cb
2d127dea1f6345c2027dbf93c109f7d7758f5bb396c9d47caa593a5039c05778
2bf197104a6418c886f206755e3f599ae9b1f90cf9771be981c30f427ecb228c
3704c9065de2c596066dbca893c63b1d12b9264d62cffd92ffc49aaf919b49a5
98d37790e570afd49b7a00192019f6c9e7c84e96069da4daa1b64a6cc88695a8
4a4d5455c9e941082c8c08a96102afc9d33abc40985bfcc00b6bee8c098066fd
0aa8c16926f65f1882953c640bcd56c9ca2ed25b1d35461d07d79d47cbdc60af
04ed81e966c2ed610dea41efe3251e15ad3a9a899ae27a81c02e9950e4367306
3e1cab8195206e7bf50b34dde56656e54ab25af5fe4136f1f76fc60f7664fd79
2c38354b88fee401ab4d9ca00979e23b39237bd81f19f7c668161da5cdda6be5
3cc67ef9b1c9978bc823e77db86d092e9f1df3062c4d98fc668920b7d7534122
db8326300154e132bca39bb24e89949dbe41c9af90d9f10242dce3f9423ab094
8ae01f38de83a0fa5f9c1dfe88fbcc594b779a8e4457bbe7ec046d541696a11a
430a9487d85e5998d134ca3a890e0c6ff86101264d1fc4ae869953fac0755c3e
da67541015af6ddee5bad1432ecc3efbf85cde69c494fd1635edbae606c4a628
dda40af7e530bf5744b1ae2219bcf10b8457f18c6a8ef39e9423badaf30beec4
25c4ee0823873ad0e9fed128dcfb45ebb821fe7a17c396026b8d8be1c2400557
077c6dc697fe099f49f24e345aa6dff6ede9be899e28906f856111b5ce364b14
1488d2bb17e28439602d2b7e015761b040a36cc2951f01ec2afd6a9cb4e788e7
2165ab6a605c5ba4e532f63ceed296bafd826ba122cbc8f6422b01d737e1a126
3bb532a1c042b56a70ab6bdfc4d7ac5daf8637a34455b84f2b1e910534a8e026
fd10d0c124ace345aaace7bab115d0cd3771c61919912e141924991146fc6b37
16f2160476b2c78ec35b8fd9a4430b865cf3597c0da23795181196ea682f3df0
9ba020588bb1e8787177acbe57fd14f643519cf3b58532111015f7402d12bfdc
0cd6df14b5d34f847a65f9f9ba0137472f684ff494084283f21bbd1e27bce4f2
1ad0802a8ec7e2b02a912133947517e4b4b610426c5e278736e9de706956a97c
81d63eb754d5bf8897acfeb9762031fbe00d197c45aed84f2fe069dcd78109a1
98c1d9168df53dd9c2da28bfafb7af7a417719ab2fed404a3bacc7aeea3d5872
5d81fbfb555468e8dbcaf4eb11db5eb50a0bef70df7e8322a84fac5d6cb88977
1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1
SH256 hash:
dda40af7e530bf5744b1ae2219bcf10b8457f18c6a8ef39e9423badaf30beec4
MD5 hash:
d11c83b988df04a4c28f9d13f541e62a
SHA1 hash:
a078c177c1defb15aabd2a36b13b8894cda439f2
Link:
https://www.unpac.me/results/fcd06af4-4bce-4452-955d-eece8ffa6eb0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dda40af7e530/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dda40af7e530bf5744b1ae2219bcf10b8457f18c6a8ef39e9423badaf30beec4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313503/

Comments