Malware Analysis Report

2024-09-22 23:55

Sample ID 240430-gpransea63
Target 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe
SHA256 6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5
Tags
stormkitty xworm rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5

Threat Level: Known bad

The file 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm rat spyware stealer trojan

Contains code to disable Windows Defender

StormKitty

StormKitty payload

Detect Xworm Payload

Xworm

Xworm family

Reads user/profile data of web browsers

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-30 05:59

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 05:59

Reported

2024-04-30 06:01

Platform

win7-20240221-en

Max time kernel

118s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe

"C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe"

Network

Country Destination Domain Proto
NL 91.92.242.85:3344 tcp
NL 91.92.242.85:3344 tcp

Files

memory/2904-0-0x0000000000D40000-0x0000000000D4E000-memory.dmp

memory/2904-1-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

memory/2904-2-0x000000001AE50000-0x000000001AED0000-memory.dmp

memory/2904-3-0x000000001C540000-0x000000001C660000-memory.dmp

memory/2904-4-0x0000000000A70000-0x0000000000A7E000-memory.dmp

memory/2904-5-0x000000001CEF0000-0x000000001D1D2000-memory.dmp

memory/2904-6-0x0000000000B90000-0x0000000000BAC000-memory.dmp

memory/2904-7-0x0000000002260000-0x00000000022A8000-memory.dmp

memory/2904-8-0x0000000000A80000-0x0000000000A88000-memory.dmp

memory/2904-20-0x000000001BB70000-0x000000001BC16000-memory.dmp

memory/2904-27-0x000000001ABD0000-0x000000001AC04000-memory.dmp

memory/2904-28-0x000000001B2B0000-0x000000001B2FA000-memory.dmp

memory/2904-35-0x000000001A750000-0x000000001A766000-memory.dmp

memory/2904-36-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

memory/2904-37-0x000000001AE50000-0x000000001AED0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 05:59

Reported

2024-04-30 06:01

Platform

win10v2004-20240419-en

Max time kernel

139s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe

"C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 91.92.242.85:3344 tcp
US 8.8.8.8:53 85.242.92.91.in-addr.arpa udp
NL 91.92.242.85:3344 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/368-0-0x00000000000A0000-0x00000000000AE000-memory.dmp

memory/368-1-0x00007FFE05150000-0x00007FFE05C11000-memory.dmp

memory/368-2-0x000000001AD50000-0x000000001AD60000-memory.dmp

memory/368-3-0x000000001CA10000-0x000000001CB30000-memory.dmp

memory/368-4-0x000000001B950000-0x000000001B95E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hi55yuc4.vei.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/368-14-0x000000001D600000-0x000000001D622000-memory.dmp

memory/368-53-0x00007FFE05150000-0x00007FFE05C11000-memory.dmp

memory/368-54-0x000000001AD50000-0x000000001AD60000-memory.dmp