stormkitty | e2f53b76060c0115efe12f3e6a8c2f0b27caed7a4d471b85d318b21de6cfe0c7 | Triage

Submit
Reports

Overview

overview

Static

static

3

SolaraB/So...er.exe

windows7-x64

3

SolaraB/So...er.exe

windows10-2004-x64

Sharing

General

Target

SolaraB.rar
Size

5KB
Sample

240624-f9v9paycnb
MD5

b0bf490eeffd0865ab8cd515c6481045
SHA1

927fc43e6618c05bd8217d2ce57c48077d41d468
SHA256

e2f53b76060c0115efe12f3e6a8c2f0b27caed7a4d471b85d318b21de6cfe0c7
SHA512

99d985a286fff264e9c01b509d85cba16db8fb039dd0f340db686d62a4b7c31e561d4d8d0e3ee83a676c47665ac009ac027bdf32071bb1080ea4839cdd4ce7b3
SSDEEP

96:rAIVQw/rL3C/bqDiEuUkjRd0BVrKiFAyWgswkJUlilSQgNMesB:rrTYbokY7tlWgshULx+esB

Score

10^/10

stormkitty xworm execution persistence rat stealer themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SolaraB/SolaraBootstrapper.exe

Resource

win7-20240508-en

windows7-x64

7 signatures

300 seconds

Behavioral task

behavioral2

Sample

SolaraB/SolaraBootstrapper.exe

Resource

win10v2004-20240226-en

stormkitty xworm execution persistence rat stealer themida trojan

windows10-2004-x64

21 signatures

300 seconds

Malware Config

Extracted

Family

xworm

C2

anyone-blogging.gl.at.ply.gg:22284

Attributes

Install_directory
%Userprofile%
install_file
XClient.exe

Targets

- Target
  
  SolaraB/SolaraBootstrapper.exe
- Size
  
  13KB
- MD5
  
  8be476fb431fcf11156417f410acf978
- SHA1
  
  55a19def82358ffc006487e1f49be04277e12bd5
- SHA256
  
  14cf7648123e018dcdfc2aa386135a0510a9f7b12b8bc125ad4e32fd7f16999c
- SHA512
  
  cf747947ff0bedf87230e0fa08ee534f44f08962a52ae3dd0c0d734d6f4131456a0e2dc1ac230fa6500d5b254a64cae9e01161d1a690e26794c38d66e22cb5ed
- SSDEEP
  
  192:IUxOQrGVa/nHU0LgJ2jaVb4+LHdrDXy3pifUJ1hHxrWjd:hIQaVafU0LmqaVb4+xPy5ifU1hRyj
Score

10^/10

stormkitty xworm execution persistence rat stealer themida trojan
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

stormkittyxwormexecutionpersistenceratstealerthemidatrojan

© 2018-2025

Terms | Privacy