Malware Analysis Report

2024-09-22 23:53

Sample ID 240501-bz81ksch5v
Target 6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe
SHA256 6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5
Tags
xworm stormkitty rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5

Threat Level: Known bad

The file 6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe was found to be: Known bad.

Malicious Activity Summary

xworm stormkitty rat spyware stealer trojan

Detects Windows executables referencing non-Windows User-Agents

StormKitty

Xworm

StormKitty payload

Contains code to disable Windows Defender

Xworm family

Detect Xworm Payload

Detects executables referencing credit card regular expressions

Detects executables containing artifacts associated with disabling Widnows Defender

Detects Windows executables referencing non-Windows User-Agents

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Detects executables referencing Windows vault credential objects. Observed in infostealers

Reads user/profile data of web browsers

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-01 01:36

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 01:36

Reported

2024-05-01 01:38

Platform

win7-20240221-en

Max time kernel

121s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing credit card regular expressions

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe

"C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe"

Network

Country Destination Domain Proto
NL 91.92.242.85:3344 tcp
NL 91.92.242.85:3344 tcp

Files

memory/2728-0-0x0000000000D30000-0x0000000000D3E000-memory.dmp

memory/2728-1-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2728-2-0x000000001AD60000-0x000000001ADE0000-memory.dmp

memory/2728-3-0x0000000000D10000-0x0000000000D1E000-memory.dmp

memory/2728-4-0x000000001C130000-0x000000001C250000-memory.dmp

memory/2728-28-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2728-29-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 01:36

Reported

2024-05-01 01:38

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe

"C:\Users\Admin\AppData\Local\Temp\6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 91.92.242.85:3344 tcp
US 8.8.8.8:53 g.bing.com udp
NL 91.92.242.85:3344 tcp
NL 91.92.242.85:3344 tcp
NL 91.92.242.85:3344 tcp
NL 91.92.242.85:3344 tcp
NL 91.92.242.85:3344 tcp

Files

memory/1112-0-0x00000000006C0000-0x00000000006CE000-memory.dmp

memory/1112-1-0x00007FFA57FC0000-0x00007FFA58A81000-memory.dmp

memory/1112-2-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/1112-3-0x00007FFA57FC0000-0x00007FFA58A81000-memory.dmp

memory/1112-4-0x000000001B2E0000-0x000000001B2F0000-memory.dmp