stormkitty | 2d2e27dc029c468d7a019fcde90fb2ffddd0bf02cafa0357cd86310645bb7473 | Triage

Submit
Reports

Overview

overview

Static

static

XClient.exe

windows11-21h2-x64

Sharing

General

Target

XClient.exe
Size

79KB
Sample

240528-pphbrsde6v
MD5

81630e94eabda4e1a57ac4f1952db556
SHA1

9d7276205d8cedba924859bbbbef305890baff23
SHA256

2d2e27dc029c468d7a019fcde90fb2ffddd0bf02cafa0357cd86310645bb7473
SHA512

f9dca5f30cc1908d47a806c5b2b3a1c1b8c3c3b75bbdac9811307f83f4ac2fabcb6f2ae7630c9f25e7be5f710c525b63f49fa814c1d498d1d0872b5d9a7d3bec
SSDEEP

1536:ZG0+RNQYxXBpLLLoypsKCJJ5Ybimcg6cbD8K3QG6VG6xqhGpOggM3xZRw:Zb+RN5bLGFYbi7cDVg9A+OggM5w

Score

10^/10

stormkitty xworm execution persistence rat spyware stealer trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

XClient.exe

Resource

win11-20240419-en

stormkitty xworm execution persistence rat spyware stealer trojan

windows11-21h2-x64

19 signatures

300 seconds

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/raw/qaWffTar:5

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/qaWffTar

Targets

- Target
  
  XClient.exe
- Size
  
  79KB
- MD5
  
  81630e94eabda4e1a57ac4f1952db556
- SHA1
  
  9d7276205d8cedba924859bbbbef305890baff23
- SHA256
  
  2d2e27dc029c468d7a019fcde90fb2ffddd0bf02cafa0357cd86310645bb7473
- SHA512
  
  f9dca5f30cc1908d47a806c5b2b3a1c1b8c3c3b75bbdac9811307f83f4ac2fabcb6f2ae7630c9f25e7be5f710c525b63f49fa814c1d498d1d0872b5d9a7d3bec
- SSDEEP
  
  1536:ZG0+RNQYxXBpLLLoypsKCJJ5Ybimcg6cbD8K3QG6VG6xqhGpOggM3xZRw:Zb+RN5bLGFYbi7cDVg9A+OggM5w
Score

10^/10

stormkitty xworm execution persistence rat spyware stealer trojan
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

stormkittyxwormexecutionpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy