Overview

overview

10

Static

static

1

BlueStacks...==.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BlueStacksInstaller_5.21.550.1031_native_a84df0a742c64361a047a75521553ed5_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe

  • Size

    913KB

  • Sample

    240911-mqpq5awfpd

  • MD5

    f88ed174d2848207ff096424f705257b

  • SHA1

    2186f6b58eb9cb2b7434071f2719426c43cc004b

  • SHA256

    96bd9c9e7ff547805dce20e583aa95e3a047db2d01c1984549a825fa5f04f7c0

  • SHA512

    4307f8ce28c62758f80bc3f38c096da68ceb0cb444c3b055159eabf408f2ac8ac0dd9bac156d77a454c6c48a7c00cff94c63fb594c0ce5106fbb8df32b379e17

  • SSDEEP

    24576:vivtCXWeGKj8f7bi7iruGKW2loYW+wTZvlfk:KtCXWP/nieolonlN9fk

Score
10/10
stormkittyxwormcredential_accessdefense_evasiondiscoveryevasionexecutionratstealertrojan

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:24469

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Targets

    • Target

      BlueStacksInstaller_5.21.550.1031_native_a84df0a742c64361a047a75521553ed5_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe

    • Size

      913KB

    • MD5

      f88ed174d2848207ff096424f705257b

    • SHA1

      2186f6b58eb9cb2b7434071f2719426c43cc004b

    • SHA256

      96bd9c9e7ff547805dce20e583aa95e3a047db2d01c1984549a825fa5f04f7c0

    • SHA512

      4307f8ce28c62758f80bc3f38c096da68ceb0cb444c3b055159eabf408f2ac8ac0dd9bac156d77a454c6c48a7c00cff94c63fb594c0ce5106fbb8df32b379e17

    • SSDEEP

      24576:vivtCXWeGKj8f7bi7iruGKW2loYW+wTZvlfk:KtCXWP/nieolonlN9fk

    Score
    10/10
    stormkittyxwormcredential_accessdefense_evasiondiscoveryevasionexecutionratstealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Downloads MZ/PE file

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks