stormkitty

General

Target

Solara.zip
Size

198KB
Sample

240902-ynvp5swclq
MD5

ffe29b3ebc9256701b01e953113ac2c4
SHA1

87921716634e010e783122a531a3c46a59fa0a3f
SHA256

d999208640743aef67eac9544824e1e96176dbb73b17fad5d2f33f73fb8fa87e
SHA512

99d47a9f06c8dff272d52439566b799b1a8718b4c5e0993add2256ca06a9a332f65d8084f3c7234b71e217e9994d4ca42f852a285c84940dccd5d2d79b3742ba
SSDEEP

3072:OEewTb7xmM2+VQiuLsxSII2FluWh4CefBEhdWZb7CjES1TaQQBGzNNCAz146HiMz:nv9pfVPxj0CWBpb7+nIQ9WsrqHkPf9

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:13970

accessories-retrieve.gl.at.ply.gg:13970

Attributes

Install_directory
%AppData%
install_file
Loader.exe

Targets

- Target
  
  Solara.exe
- Size
  
  439KB
- MD5
  
  bbc212bd99b3cdbdf9ebea621b2ec078
- SHA1
  
  31b3bd37ea5c37ee034ed92c3643fef177b130e5
- SHA256
  
  def6f4ec76d2069322983c6eca95a313cb9a8d2456447dae67db7cb1dfe3acdd
- SHA512
  
  286e2dbe13d9e3732406bda3d55a1a673deb1c8f81669d8d8dc1d2bc5e30f2e8dbd13fc59bef3d13417afc1427243c51223d754422b2efd45b20600987c11737
- SSDEEP
  
  1536:Y52g9057DKXIvjKqx+bSIijoJLU6Bv0JVOfCTPnlp4Z9l:42V8q+bSIjv07Oq734ZP
Score

10^/10

xworm discovery execution persistence ransomware rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  SolaraFixer.bat
- Size
  
  86KB
- MD5
  
  28b71b14a91dc144298ac43e725d27fd
- SHA1
  
  e6b8bd585e2dabc43d2dbbe6352eac60bdf93ac3
- SHA256
  
  c3ea1603378e0bfbf7fcc64643144c0c5c699bcffc8505b68a251d00097a0c63
- SHA512
  
  58446084d1e6365d017a0fac0ba10877b7e96a7dbacfb99dc375a65ce5716611cc341653006c043cd3968556c1d2e0559ebbf161c5c25db18ae23716654218f7
- SSDEEP
  
  1536:0PJQdYi/z5s3d434+UHnaJCt53ZbHDSXtDq1MO6tXlMFjGkOWCK4vOnOS:2JQdhatn1HnaJCtRZbHDekadlMJDOWC
Score

10^/10

stormkitty xworm credential_access discovery execution persistence ransomware rat spyware stealer trojan
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral2