stormkitty | 9eb51151389425c487c68c0f293d80fe0c8f894aedcf797fbc37e8bdf4cf1ecf | Triage

Submit
Reports

Overview

overview

Static

static

1

tre.bat

windows7-x64

8

tre.bat

windows10-2004-x64

Sharing

General

Target

tre.bat
Size

186KB
Sample

240915-cg5qwazfkp
MD5

49a0a6fd50d78530a1d0165530bbf452
SHA1

d7c0a6fda37c34e19da741946624e33632372f01
SHA256

9eb51151389425c487c68c0f293d80fe0c8f894aedcf797fbc37e8bdf4cf1ecf
SHA512

1e64aa6cc815dbc537164dec8ef885bdee00e6a02836065c0dadbb440737eb9a1ec361aa6cd9c3c6d8e545a817c554b76b132fd81d4c24089208e8b5c7be1dc1
SSDEEP

3072:Y3QUaDntxn+cceixWDdNllmYtUA8HnUe/EEQjnj/2+AZ8E9zl7LWe9hCWANSblHO:IQt+wixAjSYjcEE6j/2+A+2zl7aemM1O

Score

10^/10

stormkitty xworm credential_access discovery execution rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

tre.bat

Resource

win7-20240903-en

windows7-x64

4 signatures

1800 seconds

Behavioral task

behavioral2

Sample

tre.bat

Resource

win10v2004-20240802-en

stormkitty xworm credential_access discovery execution rat stealer trojan

windows10-2004-x64

19 signatures

1800 seconds

Malware Config

Extracted

Family

xworm

C2

147.185.221.16:40164

147.185.221.20:40164

Attributes

install_file
tmp.exe

Targets

- Target
  
  tre.bat
- Size
  
  186KB
- MD5
  
  49a0a6fd50d78530a1d0165530bbf452
- SHA1
  
  d7c0a6fda37c34e19da741946624e33632372f01
- SHA256
  
  9eb51151389425c487c68c0f293d80fe0c8f894aedcf797fbc37e8bdf4cf1ecf
- SHA512
  
  1e64aa6cc815dbc537164dec8ef885bdee00e6a02836065c0dadbb440737eb9a1ec361aa6cd9c3c6d8e545a817c554b76b132fd81d4c24089208e8b5c7be1dc1
- SSDEEP
  
  3072:Y3QUaDntxn+cceixWDdNllmYtUA8HnUe/EEQjnj/2+AZ8E9zl7LWe9hCWANSblHO:IQt+wixAjSYjcEE6j/2+A+2zl7aemM1O
Score

10^/10

execution stormkitty xworm credential_access discovery rat stealer trojan
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Browser Information Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

stormkittyxwormcredential_accessdiscoveryexecutionratstealertrojan

© 2018-2025

Terms | Privacy