stormkitty | d4edd94a065d71ae37cb48c64a09e3dab0996096f8a98a378185b26816655e42

Analysis

max time kernel
122s
max time network
145s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OC 13065.exe
Size

1.8MB
MD5

26a81e6b9da7801ca3bd29c4b4d6b76c
SHA1

50e5cb8380bbc9f11f3b5bcd477c86f3b4ac6263
SHA256

f8850f3a39201ecea1e5bc30c07dad691e1b8db1a1eaeada7ed3d859e69a630e
SHA512

1a671f454bc48e108a831e9e1a2231a56cfcc0ee5c73c6f523d9764c75d256e32c070492a5d562250d64439422cd5658503afa00f69fc75e317e4193103854a8
SSDEEP

6144:Rx1iwfMPTymGeIHp58TY4adHganYLP3GAr0fSTSZlzOtvw9rI6HDCFixI+JAn3wk:b1Xd6T6qWArcSGZlgvw9rImCF+I93wk

Score

10^/10

stormkitty xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

185.29.11.111:7000

Mutex

B3bYPcOfuxE4gqjQ

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2476-9-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2476-8-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2476-11-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2476-13-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2476-15-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2476-22-0x0000000006340000-0x0000000006460000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 2476	2036	OC 13065.exe	29

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	OC 13065.exe
Token: SeDebugPrivilege	2476	CasPol.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2476	2036	OC 13065.exe	29
PID 2036 wrote to memory of 2476	2036	OC 13065.exe	29
PID 2036 wrote to memory of 2476	2036	OC 13065.exe	29
PID 2036 wrote to memory of 2476	2036	OC 13065.exe	29
PID 2036 wrote to memory of 2476	2036	OC 13065.exe	29
PID 2036 wrote to memory of 2476	2036	OC 13065.exe	29
PID 2036 wrote to memory of 2476	2036	OC 13065.exe	29
PID 2036 wrote to memory of 2476	2036	OC 13065.exe	29
PID 2036 wrote to memory of 2476	2036	OC 13065.exe	29
PID 2036 wrote to memory of 2580	2036	OC 13065.exe	30
PID 2036 wrote to memory of 2580	2036	OC 13065.exe	30
PID 2036 wrote to memory of 2580	2036	OC 13065.exe	30

C:\Users\Admin\AppData\Local\Temp\OC 13065.exe
"C:\Users\Admin\AppData\Local\Temp\OC 13065.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2036 -s 616
  2⤵
  PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-18-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/2036-1-0x0000000000820000-0x000000000082E000-memory.dmp

Filesize
56KB

Download
memory/2036-2-0x000000001B010000-0x000000001B01E000-memory.dmp

Filesize
56KB

Download
memory/2036-3-0x0000000000770000-0x00000000007D2000-memory.dmp

Filesize
392KB

Download
memory/2036-4-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2036-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/2036-19-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2476-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2476-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2476-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2476-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2476-16-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/2476-17-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2476-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2476-20-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/2476-21-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-22-0x0000000006340000-0x0000000006460000-memory.dmp

Filesize
1.1MB

Download