Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
StormKittyBuild (3).exe

Overview

General Information

Sample name:StormKittyBuild (3).exe
Analysis ID:1628817
MD5:79caafc8894b767c5553379e4aacc563
SHA1:8cb3a7e1feb699ffbc168c31f39f17e60b567cd6
SHA256:8c49ad1ac17dcca46bbd85d54290e92ab45562fabf518e69f14efa6a814f650b
Tags:exegithubStormKittyuser-skocherhan
Infos:

Detection

AveMaria, Clipboard Hijacker, StormKitty
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AveMaria stealer
Yara detected Clipboard Hijacker
Yara detected StormKitty Stealer
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • StormKittyBuild (3).exe (PID: 5768 cmdline: "C:\Users\user\Desktop\StormKittyBuild (3).exe" MD5: 79CAAFC8894B767C5553379E4AACC563)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Ave Maria, AveMariaRAT, avemariaInformation stealer which uses AutoIT for wrapping.
  • Anunak
https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
StormKittyBuild (3).exeMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
  • 0x45934:$x2: https://github.com/LimerBoy/StormKitty
  • 0x4477d:$x3: StormKitty
  • 0x452cc:$x3: StormKitty
  • 0x45924:$x3: StormKitty
  • 0x45950:$x3: StormKitty

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4596183518.0000000000EF0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
  • 0x67225:$x2: https://github.com/LimerBoy/StormKitty
  • 0x24ac:$x3: StormKitty
  • 0x65364:$x3: StormKitty
  • 0x67215:$x3: StormKitty
  • 0x67241:$x3: StormKitty
00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
    00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Clipboard_Hijacker_4Yara detected Clipboard HijackerJoe Security
        00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.StormKittyBuild (3).exe.ef0000.0.raw.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
          • 0x67225:$x2: https://github.com/LimerBoy/StormKitty
          • 0x24ac:$x3: StormKitty
          • 0x65364:$x3: StormKitty
          • 0x67215:$x3: StormKitty
          • 0x67241:$x3: StormKitty
          0.2.StormKittyBuild (3).exe.ef0000.0.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
          • 0x64425:$x2: https://github.com/LimerBoy/StormKitty
          • 0x6ac:$x3: StormKitty
          • 0x62564:$x3: StormKitty
          • 0x64415:$x3: StormKitty
          • 0x64441:$x3: StormKitty
          0.0.StormKittyBuild (3).exe.540000.0.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
          • 0x45934:$x2: https://github.com/LimerBoy/StormKitty
          • 0x4477d:$x3: StormKitty
          • 0x452cc:$x3: StormKitty
          • 0x45924:$x3: StormKitty
          • 0x45950:$x3: StormKitty

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-04T06:34:41.144000+010020449651A Network Trojan was detected192.168.2.649713185.199.111.133443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-04T06:34:41.144000+010028033053Unknown Traffic192.168.2.649713185.199.111.133443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: StormKittyBuild (3).exeAvira: detected
          Multi AV Scanner detection for submitted file
          Source: StormKittyBuild (3).exeVirustotal: Detection: 59%Perma Link
          Source: StormKittyBuild (3).exeReversingLabs: Detection: 65%
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: StormKittyBuild (3).exe PID: 5768, type: MEMORYSTR
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
          Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49711 version: TLS 1.2
          Source: StormKittyBuild (3).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2044965 - Severity 1 - ET MALWARE StormKitty Download Request With Minimal Headers : 192.168.2.6:49713 -> 185.199.111.133:443
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.com
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
          Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownDNS query: name: ip-api.com
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49713 -> 185.199.111.133:443
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.com
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: ip-api.com
          Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 28E5:3EAF79:B9F25D:EDF52E:67C690ECAccept-Ranges: bytesDate: Tue, 04 Mar 2025 05:34:38 GMTVia: 1.1 varnishX-Served-By: cache-nyc-kteb1890072-NYCX-Cache: MISSX-Cache-Hits: 0X-Timer: S1741066478.424978,VS0,VE38Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 739fb42c0f9cb0f77b67d436f21194d55146b407Expires: Tue, 04 Mar 2025 05:39:38 GMTSource-Age: 0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: DFF4:26D83:1491C4:1B5EC8:67C690F0Accept-Ranges: bytesDate: Tue, 04 Mar 2025 05:34:41 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740045-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1741066481.088429,VS0,VE10Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 758b935c4a76e655d4aac35c581c74615ee9e704Expires: Tue, 04 Mar 2025 05:39:41 GMTSource-Age: 0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: DFF4:26D83:1491C4:1B5EC8:67C690F0Accept-Ranges: bytesDate: Tue, 04 Mar 2025 05:34:43 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740070-EWRX-Cache: HITX-Cache-Hits: 1X-Timer: S1741066484.665054,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: a1fecd2b87571823a5b8dfe69acaa27c3a0d4251Expires: Tue, 04 Mar 2025 05:39:43 GMTSource-Age: 3
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.000000000388F000.00000004.00000800.00020000.00000000.sdmp, StormKittyBuild (3).exe, 00000000.00000002.4596446701.000000000391E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=h
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.00000000039B3000.00000004.00000800.00020000.00000000.sdmp, StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003A25000.00000004.00000800.00020000.00000000.sdmp, StormKittyBuild (3).exe, 00000000.00000002.4596446701.00000000039D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: StormKittyBuild (3).exeString found in binary or memory: https://github.com/LimerBoy/StormKitty
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKittyP~
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003A25000.00000004.00000800.00020000.00000000.sdmp, StormKittyBuild (3).exe, 00000000.00000002.4596446701.00000000039D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49711 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: StormKittyBuild (3).exe PID: 5768, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: StormKittyBuild (3).exe, type: SAMPLEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 0.2.StormKittyBuild (3).exe.ef0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 0.2.StormKittyBuild (3).exe.ef0000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 0.0.StormKittyBuild (3).exe.540000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 00000000.00000002.4596183518.0000000000EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
          Source: Process Memory Space: StormKittyBuild (3).exe PID: 5768, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD3454089D0_2_00007FFD3454089D
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD345465C80_2_00007FFD345465C8
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD345405680_2_00007FFD34540568
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD34545E820_2_00007FFD34545E82
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD345463E50_2_00007FFD345463E5
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD3454B4CC0_2_00007FFD3454B4CC
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD3454B52F0_2_00007FFD3454B52F
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD3454BD380_2_00007FFD3454BD38
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD345405000_2_00007FFD34540500
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD34544DFB0_2_00007FFD34544DFB
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD345476840_2_00007FFD34547684
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD3454B34F0_2_00007FFD3454B34F
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD345436FA0_2_00007FFD345436FA
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD345407C00_2_00007FFD345407C0
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD34548BBB0_2_00007FFD34548BBB
          Source: StormKittyBuild (3).exeStatic PE information: No import functions for PE file found
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596183518.0000000000EF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameStormKitty.exe* vs StormKittyBuild (3).exe
          Source: StormKittyBuild (3).exeBinary or memory string: OriginalFilenameStormKitty.exe* vs StormKittyBuild (3).exe
          Source: StormKittyBuild (3).exe, type: SAMPLEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 0.2.StormKittyBuild (3).exe.ef0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 0.2.StormKittyBuild (3).exe.ef0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 0.0.StormKittyBuild (3).exe.540000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 00000000.00000002.4596183518.0000000000EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
          Source: Process Memory Space: StormKittyBuild (3).exe PID: 5768, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
          Source: StormKittyBuild (3).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@2/2
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeFile created: C:\Users\user\AppData\Local\4c454dcb090ff6c501f087ff9adf7e5eJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeMutant created: \Sessions\1\BaseNamedObjects\D050C29EE7B113DCFC2A93B1760766AB
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeMutant created: NULL
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeFile created: C:\Users\user\AppData\Local\Temp\StormKitty-Latest.logJump to behavior
          Source: StormKittyBuild (3).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: StormKittyBuild (3).exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: StormKittyBuild (3).exeVirustotal: Detection: 59%
          Source: StormKittyBuild (3).exeReversingLabs: Detection: 65%
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: StormKittyBuild (3).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: StormKittyBuild (3).exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: StormKittyBuild (3).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeCode function: 0_2_00007FFD345400BD pushad ; iretd 0_2_00007FFD345400C1
          Source: StormKittyBuild (3).exeStatic PE information: section name: .text entropy: 7.9848447356305465
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Check if machine is in data center or colocation facility
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003998000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeMemory allocated: EC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeMemory allocated: 1B510000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599781Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599672Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599527Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599422Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599312Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599181Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599075Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598968Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598855Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598741Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598628Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598441Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598313Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598158Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598032Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597921Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597812Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597703Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597593Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597484Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597375Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597265Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597156Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597047Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596937Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596826Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596718Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596609Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596500Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596390Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596281Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596170Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596062Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595953Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595843Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595734Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595583Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595294Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595134Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595004Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594875Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594765Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594656Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594546Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594437Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594328Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594218Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594109Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594000Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 593890Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWindow / User API: threadDelayed 6730Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWindow / User API: threadDelayed 3104Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -30437127721620741s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -599890s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -599781s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -599672s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -599527s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -599422s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -599312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -599181s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -599075s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -598968s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -598855s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -598741s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -598628s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -598441s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -598313s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -598158s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -598032s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -597921s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -597812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -597703s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -597593s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -597484s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -597375s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -597265s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -597156s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -597047s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -596937s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -596826s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -596718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -596609s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -596500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -596390s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -596281s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -596170s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -596062s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -595953s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -595843s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -595734s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -595583s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -595294s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -595134s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -595004s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -594875s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -594765s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -594656s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -594546s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -594437s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -594328s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -594218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -594109s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -594000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exe TID: 2836Thread sleep time: -593890s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599781Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599672Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599527Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599422Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599312Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599181Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 599075Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598968Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598855Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598741Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598628Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598441Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598313Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598158Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 598032Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597921Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597812Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597703Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597593Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597484Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597375Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597265Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597156Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 597047Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596937Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596826Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596718Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596609Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596500Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596390Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596281Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596170Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 596062Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595953Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595843Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595734Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595583Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595294Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595134Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 595004Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594875Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594765Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594656Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594546Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594437Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594328Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594218Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594109Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 594000Jump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeThread delayed: delay time: 593890Jump to behavior
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003992000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: StormKittyBuild (3).exeBinary or memory string: qeMu0G
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VirtualMachine:
          Source: StormKittyBuild (3).exe, 00000000.00000002.4599700046.000000001E160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeQueries volume information: C:\Users\user\Desktop\StormKittyBuild (3).exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\StormKittyBuild (3).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: StormKittyBuild (3).exe PID: 5768, type: MEMORYSTR
          Yara detected Clipboard Hijacker
          Source: Yara matchFile source: 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: StormKittyBuild (3).exe PID: 5768, type: MEMORYSTR
          Yara detected StormKitty Stealer
          Source: Yara matchFile source: 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: StormKittyBuild (3).exe PID: 5768, type: MEMORYSTR
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx5
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets
          Source: StormKittyBuild (3).exe, 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
          Source: Yara matchFile source: 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: StormKittyBuild (3).exe PID: 5768, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: StormKittyBuild (3).exe PID: 5768, type: MEMORYSTR
          Yara detected StormKitty Stealer
          Source: Yara matchFile source: 00000000.00000002.4596446701.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: StormKittyBuild (3).exe PID: 5768, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory331
          Security Software Discovery          		Remote Desktop Protocol1
          Data from Local System          		3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)161
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
          Obfuscated Files or Information          		NTDS161
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Software Packing          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync23
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.