Malware Analysis Report

2024-09-22 23:53

Sample ID 240507-awkyxadc83
Target 3d22b8ae19ff1a0ff76edfed0a30c480_NEAS
SHA256 d0d8cabf89f4fcb086977a8d2b269db8ba7999b7a833ec41ac772b67e474fc77
Tags
xworm stormkitty rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0d8cabf89f4fcb086977a8d2b269db8ba7999b7a833ec41ac772b67e474fc77

Threat Level: Known bad

The file 3d22b8ae19ff1a0ff76edfed0a30c480_NEAS was found to be: Known bad.

Malicious Activity Summary

xworm stormkitty rat spyware stealer trojan

StormKitty

Xworm family

StormKitty payload

Xworm

Detect Xworm Payload

Reads user/profile data of web browsers

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-07 00:33

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 00:33

Reported

2024-05-07 00:36

Platform

win7-20240220-en

Max time kernel

122s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d22b8ae19ff1a0ff76edfed0a30c480_NEAS.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d22b8ae19ff1a0ff76edfed0a30c480_NEAS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d22b8ae19ff1a0ff76edfed0a30c480_NEAS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d22b8ae19ff1a0ff76edfed0a30c480_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\3d22b8ae19ff1a0ff76edfed0a30c480_NEAS.exe"

Network

Country Destination Domain Proto
TR 94.156.79.142:8080 tcp
TR 94.156.79.142:8080 tcp
TR 94.156.79.142:8080 tcp

Files

memory/1640-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

memory/1640-1-0x0000000000890000-0x0000000000920000-memory.dmp

memory/1640-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/1640-3-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/1640-4-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/1640-5-0x000000001D0B0000-0x000000001D1D0000-memory.dmp

memory/1640-29-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

memory/1640-30-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/1640-31-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/1640-32-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

memory/1640-33-0x00000000006F0000-0x00000000006FE000-memory.dmp

memory/1640-34-0x000000001D580000-0x000000001D8D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 00:33

Reported

2024-05-07 00:36

Platform

win10v2004-20240419-en

Max time kernel

130s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d22b8ae19ff1a0ff76edfed0a30c480_NEAS.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d22b8ae19ff1a0ff76edfed0a30c480_NEAS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d22b8ae19ff1a0ff76edfed0a30c480_NEAS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d22b8ae19ff1a0ff76edfed0a30c480_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\3d22b8ae19ff1a0ff76edfed0a30c480_NEAS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
TR 94.156.79.142:8080 tcp
US 8.8.8.8:53 142.79.156.94.in-addr.arpa udp
TR 94.156.79.142:8080 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
TR 94.156.79.142:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2952-0-0x00007FFD92173000-0x00007FFD92175000-memory.dmp

memory/2952-1-0x0000000000120000-0x00000000001B0000-memory.dmp

memory/2952-2-0x00007FFD92170000-0x00007FFD92C31000-memory.dmp

memory/2952-3-0x00007FFD92170000-0x00007FFD92C31000-memory.dmp

memory/2952-4-0x00007FFD92170000-0x00007FFD92C31000-memory.dmp

memory/2952-5-0x000000001BE80000-0x000000001BFA0000-memory.dmp

memory/2952-44-0x000000001BDC0000-0x000000001BDE2000-memory.dmp

memory/2952-45-0x00007FFD92173000-0x00007FFD92175000-memory.dmp

memory/2952-46-0x00007FFD92170000-0x00007FFD92C31000-memory.dmp

memory/2952-47-0x00007FFD92170000-0x00007FFD92C31000-memory.dmp

memory/2952-48-0x000000001AE20000-0x000000001AE2E000-memory.dmp

memory/2952-49-0x00007FFD92170000-0x00007FFD92C31000-memory.dmp

memory/2952-50-0x000000001C3A0000-0x000000001C6F0000-memory.dmp