MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f54692a2ffa5029e44823a4f6b67151477b18cba62d3ea2137452f0b113948c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

StormKitty

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	f54692a2ffa5029e44823a4f6b67151477b18cba62d3ea2137452f0b113948c9
SHA3-384 hash:	955c0afb2e404eb8dba297b81b12ee5abc1a495e291c83d378f5b17bd510c976de9e1d0415be09f5891f693b1f07004c
SHA1 hash:	223c7bac8e7e5cae5175f9d603b13649c99fa746
MD5 hash:	10f3245bc055a7e6eec1bedd7d12e711
humanhash:	finch-sad-mike-zulu
File name:	3ntp.docx.lnk
Download:	download sample
Signature	StormKitty Create hunting rule
File size:	2'889 bytes
First seen:	2023-09-26 08:52:34 UTC
Last seen:	Never
File type:	lnk
MIME type:	application/octet-stream
ssdeep	24:8w/0IJ3q3c/wT+MacqJM9BGPJ+/p9mlsiiWjECu5CwdRqaq3O0Kap1deOm:8w/z3DzcqJwGnsiiWjECcREb1gO
TLSH	T10751122133F51311E3F2DA7AC4F75357A238BC51E852CE7D0161824D2CA1E029864F3B
Reporter	r3dbU7z
Tags:	lnk stager StormKitty

Intelligence

File Origin

# of uploads :

# of downloads :

223

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL

MiscreantPunch.INFO.LNK.CMDBITSADMIN.UNOFFICIAL

TwinWave.EvilLNK.HTTPDottedQuadPolicykill.20220908.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

LNK File - Malicious

Link:

https://app.docguard.net/f54692a2ffa5029e44823a4f6b67151477b18cba62d3ea2137452f0b113948c9/results/dashboard

Payload URLs

URL

File name

http://103.38.236.46/ntpvip.exe

LNK File

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm bitsadmin cmd configsecuritypolicy evasive hacktool lolbin masquerade mpcmdrun msconfig msiexec packed regedit schtasks

Link:

https://www.filescan.io/uploads/65129beff1b40cb0d622917e/reports/c7342eb1-d96f-4d69-8c64-2315ad0b3b2f/overview

Verdict:

Malicious

Labled as:

BZC.YAX.Pantera.23.1845C817;BZC.YAX.Pantera.23

Link:

https://www.hybrid-analysis.com/sample/f54692a2ffa5029e44823a4f6b67151477b18cba62d3ea2137452f0b113948c9

Result

Verdict:

MALICIOUS

Details

IPv4 Dotted Quad URL

A URL was detected referencing a direct IP address, as opposed to a domain name.

Result

Threat name:

AsyncRAT, DcRat, VenomRAT

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1314381

Signature

Antivirus detection for URL or domain

Found malware configuration

Found URL in windows shortcut file (LNK)

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to download files via bitsadmin

Uses an obfuscated file name to hide its real file extension (double extension)

Windows shortcut file (LNK) contains suspicious command line arguments

Windows shortcut file (LNK) starts blacklisted processes

Yara detected AsyncRAT

Yara detected DcRat

Yara detected VenomRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f54692a2ffa5029e44823a4f6b67151477b18cba62d3ea2137452f0b113948c9/

Threat name:

Win32.Trojan.AggBITSAbuse

Status:

Malicious

First seen:

2023-09-26 08:53:05 UTC

File Type:

Binary

AV detection:

11 of 23 (47.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6vdjfix7uubj4rechjhwwzyvcr33ddf2mlj6uijxiuxqwejzjdeq._file

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:asyncrat family:stormkitty botnet:default rat stealer

Link:

https://tria.ge/reports/230926-ktap9shc46/

Behaviour

Download via BitsAdmin

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Checks computer location settings

Downloads MZ/PE file

Async RAT payload

AsyncRat

StormKitty

StormKitty payload

Malware Config

C2 Extraction:

103.38.236.46:4449

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f54692a2ffa5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f54692a2ffa5029e44823a4f6b67151477b18cba62d3ea2137452f0b113948c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Download_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies download artefacts in shortcut (LNK) files.

Rule name:	Execution_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies execution artefacts in shortcut (LNK) files.

Rule name:	EXE_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies executable artefacts in shortcut (LNK) files.

Rule name:	LNK_Malicious_Nov1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a suspicious LNK file
Reference:	https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	SUSP_LNK_CMD Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StormKitty

lnk f54692a2ffa5029e44823a4f6b67151477b18cba62d3ea2137452f0b113948c9

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample