Extracted

• • Target

    XClient.scr

  • Size

    71KB

  • MD5

    5513183baf417b3a7190752a82b208b8

  • SHA1

    f8b8462561ee345d02ce68b0faa279ffabb8a4b0

  • SHA256

    799a78dff2f087686b22635366263dcc9bf4d1daf620ae0118bf90088e87a6f2

  • SHA512

    cdea1aff72f627e22fd2b135ae9de4108caa35b49ff88b57a9ca9204f31e16fa05b69651d3953ebc054d8bca4c84db6fadccdc80b3a4e19aa1d600ab360178b1

  • SSDEEP

    768:bMa8JQRkmIoU8LFwukRtg5JU2mB4UQV99gFaBPB9vq2TnbE5nX+bvB7Pn+jdUeML:MuRnIApwUoun9bER+bvp+Fm6K1OLPSF

  Score

  10^/10

  xwormpersistencerattrojanstormkittycredential_accessdiscoveryprivilege_escalationransomwarespywarestealer

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Blocklisted process makes network request

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of SetThreadContext

  behavioral1behavioral2