stormkitty | e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264 | Triage

Submit
Reports

Overview

overview

Static

static

3

Celestial.exe

windows7-x64

Celestial.exe

windows10-2004-x64

Sharing

General

Target

Celestial.exe
Size

297KB
Sample

240809-zr95nssfqf
MD5

9b650b738d97c0e39717fe86401a6726
SHA1

34f361ab5024ad4390a3906cb3fff5a7b5f7e656
SHA256

e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
SHA512

a6664916c5c1bfd66e58face5c1811f95b6489c3e1d4728d4efee92233192fb145c8f0cca46582d560356b92732a8727794a7d8765d16c4df567eb5eb84b1e30
SSDEEP

6144:Ka4InuJg58BkgqPoDH49n8Bb/cQ/gW/tQtbgk3KlRWvWl/HrrACG7:Kat0EAH49n8BLgSZQKXW+l/HnACs

Score

10^/10

stormkitty xworm credential_access discovery rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Celestial.exe

Resource

win7-20240729-en

xworm discovery rat trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

Celestial.exe

Resource

win10v2004-20240802-en

stormkitty xworm credential_access discovery rat spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

xworm

C2

engineering-thoroughly.gl.at.ply.gg:32901

20.ip.gl.ply.gg:32901

Attributes

install_file
USB.exe

Targets

- Target
  
  Celestial.exe
- Size
  
  297KB
- MD5
  
  9b650b738d97c0e39717fe86401a6726
- SHA1
  
  34f361ab5024ad4390a3906cb3fff5a7b5f7e656
- SHA256
  
  e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
- SHA512
  
  a6664916c5c1bfd66e58face5c1811f95b6489c3e1d4728d4efee92233192fb145c8f0cca46582d560356b92732a8727794a7d8765d16c4df567eb5eb84b1e30
- SSDEEP
  
  6144:Ka4InuJg58BkgqPoDH49n8Bb/cQ/gW/tQtbgk3KlRWvWl/HrrACG7:Kat0EAH49n8BLgSZQKXW+l/HnACs
Score

10^/10

xworm discovery rat trojan stormkitty credential_access spyware stealer
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Time Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryrattrojan

behavioral2

stormkittyxwormcredential_accessdiscoveryratspywarestealertrojan

© 2018-2025

Terms | Privacy