MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f66e5f355ec3477cc1be168b9fec2f85d2c58106460d988dd96855f8c78b3fe8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StormKitty


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f66e5f355ec3477cc1be168b9fec2f85d2c58106460d988dd96855f8c78b3fe8
SHA3-384 hash: 0d888e72e4996ac593cdfae96755cb96ee6a58fe5ab37f433feac41d12204bada964daf988494e84289929aee9daaecd
SHA1 hash: b4be3ca5db209dd913f9c07fa54578fcd5b45b32
MD5 hash: ebb56a6e94862c64dd204246376819f8
humanhash: glucose-eight-solar-may
File name:ebb56a6e94862c64dd204246376819f8.exe
Download: download sample
Signature StormKitty
Create hunting rule
File size:955'392 bytes
First seen:2021-07-12 14:58:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:dJ4X0GRJXN5GnTOdU+CHpZszzEicFntWFGpnW8Pgp6UmVl+abLNoEK/ILVXQWdiv:dJK0GRtEhFcwFWyw6nBoP/ILFHi
Threatray 1'806 similar samples on MalwareBazaar
TLSH T19A156C3823BDD609F13BFFB19F64A6449FE675669729D14E3DD0028E1420E80EE76932
Reporter abuse_ch
Tags:exe StormKitty

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fdb072b859acf022effc3f1033b96b2c7f90faaecac8352c3e39db31c53cdaf.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-12 15:02:45 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/c0895eca-c7ba-4bf7-a8aa-ed0d1b4c37ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
StormKitty
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171151/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.925-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a79c7d67-06ea-4b0c-873d-ce3b9b666a82
Result
Threat name:
a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/814981
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Yara detected a310Logger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447390 Sample: XEOOTN7xTS.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 92 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Yara detected a310Logger 2->51 53 Machine Learning detection for sample 2->53 7 XEOOTN7xTS.exe 3 2->7         started        process3 file4 23 C:\Users\user\AppData\...\XEOOTN7xTS.exe.log, ASCII 7->23 dropped 55 Writes or reads registry keys via WMI 7->55 57 Injects a PE file into a foreign processes 7->57 11 XEOOTN7xTS.exe 8 7->11         started        signatures5 process6 dnsIp7 33 brightonmax.com.my 110.74.174.216, 49770, 49776, 49777 AIMS-MY-NETAIMSDataCentreSdnBhdMY Malaysia 11->33 35 192.168.2.1 unknown unknown 11->35 37 mail.brightonmax.com.my 11->37 25 C:\Users\user\AppData\...\PASSWORDSNET4.exe, PE32 11->25 dropped 27 C:\Users\user\AppData\...\CREDITCARDNET4.exe, PE32 11->27 dropped 29 C:\Users\user\AppData\...\COOKIESNET4.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\...\CONTACTSNET4.exe, PE32 11->31 dropped 59 Tries to steal Crypto Currency Wallets 11->59 16 PASSWORDSNET4.exe 4 11->16         started        19 CREDITCARDNET4.exe 3 11->19         started        21 CONTACTSNET4.exe 1 11->21         started        file8 signatures9 process10 signatures11 39 Multi AV Scanner detection for dropped file 16->39 41 Tries to steal Mail credentials (via file access) 16->41 43 Tries to harvest and steal browser information (history, passwords, etc) 16->43 45 Machine Learning detection for dropped file 21->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f66e5f355ec3477cc1be168b9fec2f85d2c58106460d988dd96855f8c78b3fe8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 14:59:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0db3bd35b25826c66d2ebc8f3d009b44dcffbf66e7998b19be0cf4c0d8fec258
StormKitty
11406af8229633b2b317bbe62d1d8e9f95ccc216e821f566e9bf38029b9d8e10
StormKitty
311c2667d094e51f0ad2596333a243ca6296d25c07223abf95af0256ed7aeb97
StormKitty
4d7f5d6322935ee744ab4a0db255ca4720c2a64aa6760bb987349399165bb010
StormKitty
8021c889d10d4c4f3b8f6f57c133a0555dac514a5b9e280c3b9ab34c2e2ecb50
StormKitty
8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e
StormKitty
8cf4d9a55d80942fbdf18648f7fa01768efc4783b439503d39d9ef98a85fb193
StormKitty
9cf2a057f02576f4223e7c2f8ef4c217944385df4cd3180029ff96b80122d752
StormKitty
a3e84da58dbdc9813c1a8bd17a5b07e39f8d1322b8ee7d70bd5fe61b481ac492
StormKitty
f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236
StormKitty
+ 1'796 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:a310logger family:stormkitty spyware stealer
Link:
https://tria.ge/reports/210712-z2kzsf3386/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
A310logger Executable
A310logger
StormKitty
StormKitty Payload
Unpacked files
SH256 hash:
f1cc24165812aa36c6e28a249f0de7f5ab8aeecb9745ef240baa7d66face1705
MD5 hash:
1e6788cea39e25621e68e9337b4def66
SHA1 hash:
32177e2af9a4e78f76625733c279ba750a15bede
Link:
https://www.unpac.me/results/7219bf5e-a45e-473f-9454-e4ef2fffc1b7/
SH256 hash:
606fe8340375ec5294621d0c90b939c5b20d5dd1e2bab82118b16897fc26140f
MD5 hash:
149b4b022c7b3a37945df8519db04b74
SHA1 hash:
51472c884288b253b8772b98c24473ac4950f074
Link:
https://www.unpac.me/results/7219bf5e-a45e-473f-9454-e4ef2fffc1b7/
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/7219bf5e-a45e-473f-9454-e4ef2fffc1b7/
SH256 hash:
eba9d35bf6886b712e5e5a8eb81cb065204697e2f4be3e3dcd13eb3b6f7b36e3
MD5 hash:
9b3fa10872c54dfebd2df94e6aaf5c66
SHA1 hash:
b34f341f87ef6c4cdb1c1264917cbcc3047c218a
Link:
https://www.unpac.me/results/7219bf5e-a45e-473f-9454-e4ef2fffc1b7/
SH256 hash:
f66e5f355ec3477cc1be168b9fec2f85d2c58106460d988dd96855f8c78b3fe8
MD5 hash:
ebb56a6e94862c64dd204246376819f8
SHA1 hash:
b4be3ca5db209dd913f9c07fa54578fcd5b45b32
Link:
https://www.unpac.me/results/7219bf5e-a45e-473f-9454-e4ef2fffc1b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/f66e5f355ec3477cc1be168b9fec2f85d2c58106460d988dd96855f8c78b3fe8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

StormKitty

Executable exe f66e5f355ec3477cc1be168b9fec2f85d2c58106460d988dd96855f8c78b3fe8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1447745/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171151/

Comments