stormkitty | 375d690a75254f5b58018e443205c6800270e553234845d92378b90023c9dc13 | Triage

Sharing

General

Target

375d690a75254f5b58018e443205c6800270e553234845d92378b90023c9dc13.js
Size

47.0MB
Sample

240808-blcp8a1dpf
MD5

e633eaeb161017eec584bd3f042cde07
SHA1

6c0181476a703f2cc7232d62213dbcca8d6d2cf3
SHA256

375d690a75254f5b58018e443205c6800270e553234845d92378b90023c9dc13
SHA512

605fd043c9978d8f8834bef3a65f07e3513e53c5b2dd15f4a3853fba87e93ae05df4987921e40c9e29c1d8850f3ce090ffce48714601c55bf85eb00c7de5234d
SSDEEP

3072:g0SaHey6uGxBKa+OKaGWvPa6Oua6W21lq6+Oq6GWPv6aOu6aW2J5Ka+OKaGWvPak:j

Score

10^/10

stormkitty xworm credential_access discovery execution persistence rat stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Extracted

Family

xworm

Version

5.0

C2

christyrusike21.duckdns.org:7000

Mutex

znkTtudE0WUuGVBW

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  375d690a75254f5b58018e443205c6800270e553234845d92378b90023c9dc13.js
- Size
  
  47.0MB
- MD5
  
  e633eaeb161017eec584bd3f042cde07
- SHA1
  
  6c0181476a703f2cc7232d62213dbcca8d6d2cf3
- SHA256
  
  375d690a75254f5b58018e443205c6800270e553234845d92378b90023c9dc13
- SHA512
  
  605fd043c9978d8f8834bef3a65f07e3513e53c5b2dd15f4a3853fba87e93ae05df4987921e40c9e29c1d8850f3ce090ffce48714601c55bf85eb00c7de5234d
- SSDEEP
  
  3072:g0SaHey6uGxBKa+OKaGWvPa6Oua6W21lq6+Oq6GWPv6aOu6aW2J5Ka+OKaGWvPak:j
Score

10^/10

execution stormkitty xworm credential_access discovery persistence rat stealer trojan
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

stormkittyxwormcredential_accessdiscoveryexecutionpersistenceratstealertrojan