Windows
Analysis Report
Build.exe
Overview
General Information
Detection
StormKitty
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Generic Stealer
Yara detected StormKitty Stealer
.NET source code references suspicious native API functions
Contains functionality to capture screen (.Net source)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
Build.exe (PID: 6924 cmdline:
"C:\Users\ user\Deskt op\Build.e xe" MD5: 7C77B3C5E87CD408D0565C369A4D9E2F) cmd.exe (PID: 6208 cmdline:
"cmd.exe" /C chcp 65 001 && net sh wlan sh ow profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 5192 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) chcp.com (PID: 6444 cmdline:
chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF) netsh.exe (PID: 6488 cmdline:
netsh wlan show prof ile MD5: 4E89A1A088BE715D6C946E55AB07C7DF) findstr.exe (PID: 5168 cmdline:
findstr Al l MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) cmd.exe (PID: 5816 cmdline:
"cmd.exe" /C chcp 65 001 && net sh wlan sh ow network s mode=bss id MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 5232 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) chcp.com (PID: 4400 cmdline:
chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF) netsh.exe (PID: 5792 cmdline:
netsh wlan show netw orks mode= bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF) chrome.exe (PID: 4372 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --wi ndow-posit ion=-2400, -2400 --re mote-debug ging-port= 9222 --pro file-direc tory="Defa ult" MD5: E81F54E6C1129887AEA47E7D092680BF) chrome.exe (PID: 5792 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --no-pre-r ead-main-d ll --field -trial-han dle=1964,i ,112470053 6993852761 2,18363969 1631842598 48,262144 --variatio ns-seed-ve rsion=2025 0306-18300 4.429000 - -mojo-plat form-chann el-handle= 2136 /pref etch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Cameleon, StormKitty | PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
infostealer_win_stormkitty | Finds StormKitty samples (or their variants) based on specific strings | Sekoia.io |
| |
INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen |
| |
Click to see the 2 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericStealer_9 | Yara detected Generic Stealer | Joe Security | ||
JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen |
| |
JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | ||
Click to see the 6 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_StormKitty | Yara detected StormKitty Stealer | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
infostealer_win_stormkitty | Finds StormKitty samples (or their variants) based on specific strings | Sekoia.io |
| |
INDICATOR_SUSPICIOUS_EXE_Discord_Regex | Detects executables referencing Discord tokens regular expressions | ditekSHen |
| |
INDICATOR_SUSPICIOUS_EXE_References_VPN | Detects executables referencing many VPN software clients. Observed in infosteslers | ditekSHen |
| |
Click to see the 2 entries |
System Summary |
---|
Source: | Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Code function: | 0_2_04B05F48 | |
Source: | Code function: | 0_2_04B05F41 |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Memory has grown: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |