stormkitty | fcadb0f8b3f4d2f62ee32686bc4c9d93493145ae9720a28d0b2afffdf253e66d

Analysis

max time kernel
1328s
max time network
1870s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

71KB
MD5

9175e0d4944a8add7461d6b0f312e321
SHA1

92f40d5e927a96eff9c6916a651bb7e17dd0b31a
SHA256

fcadb0f8b3f4d2f62ee32686bc4c9d93493145ae9720a28d0b2afffdf253e66d
SHA512

4f5716a1353289dc58f2256832cd360fc138f031e5b7d791b4317576108efdf4a7f331382951862505ce4731604a54a32488feef360090db0f7fcac2135a1eb5
SSDEEP

1536:6ZbC2aJTIHzeerbZurGcywF3OKSW0QW0Qe:6ZOTIFbZu6i3OW0QWk

Score

10^/10

stormkitty xworm credential_access discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

147.185.221.16:40164

147.185.221.20:40164

Attributes

install_file
tmp.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4420-1-0x0000000000D60000-0x0000000000D78000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4420-5-0x000000001E250000-0x000000001E36E000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1584	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4420	test.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	test.exe
Token: SeDebugPrivilege	4420	test.exe
Token: SeRestorePrivilege	4328	7zG.exe
Token: 35	4328	7zG.exe
Token: SeSecurityPrivilege	4328	7zG.exe
Token: SeSecurityPrivilege	4328	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4328	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4420	test.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2900	4420	test.exe	95
PID 4420 wrote to memory of 2900	4420	test.exe	95
PID 2900 wrote to memory of 1584	2900	cmd.exe	97
PID 2900 wrote to memory of 1584	2900	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5176.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1584

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap5614:102:7zEvent688
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5176.tmp.bat

Filesize
156B

MD5
af7275adf798b2d4a83c2f31320ca531

SHA1
5088a66bf2f29ba99280e6ef0a43e949acabd6b1

SHA256
a9fb4bb4c75aff14c2498fb8e65c564928dd18ab2bab7a62fa1208874f58aef5

SHA512
c28b5d1abf7a61776e14cb319efdf2eb4a7d5f14d81e5838ae1e8d5ff647f01f61d9edf259423aa39dfc9f2a6005ff3cac91d3b3f48e3b20523f2c28bdc9f955

Download Submit
C:\Users\Admin\Desktop\Builder.Ransomware.Slam.7z

Filesize
30.7MB

MD5
0c0b013c6ddec7c6840fdca388be41a1

SHA1
2f567ff0fe5448bee2cafad4d75fd1a7675191a6

SHA256
6d3629669642caf549b92c3c2ddc11242d5fc191a97a5d77a33192adfcbdc6b5

SHA512
fc80bf12793cbfcb839c1cf35b9ccf405fb8e5c8d2ac319e5ef2024d69cbbc5ba044297ec61336533ce42e6e4320fb529e35fb1d50eac6ae5ebf74f545210577

Download Submit
memory/4420-44-0x000000001E5A0000-0x000000001E5C2000-memory.dmp

Filesize
136KB

Download
memory/4420-3-0x00007FF945253000-0x00007FF945255000-memory.dmp

Filesize
8KB

Download
memory/4420-4-0x00007FF945250000-0x00007FF945D11000-memory.dmp

Filesize
10.8MB

Download
memory/4420-5-0x000000001E250000-0x000000001E36E000-memory.dmp

Filesize
1.1MB

Download
memory/4420-0-0x00007FF945253000-0x00007FF945255000-memory.dmp

Filesize
8KB

Download
memory/4420-45-0x000000001E5D0000-0x000000001E920000-memory.dmp

Filesize
3.3MB

Download
memory/4420-46-0x000000001E050000-0x000000001E100000-memory.dmp

Filesize
704KB

Download
memory/4420-47-0x000000001F3A0000-0x000000001F8C8000-memory.dmp

Filesize
5.2MB

Download
memory/4420-2-0x00007FF945250000-0x00007FF945D11000-memory.dmp

Filesize
10.8MB

Download
memory/4420-1-0x0000000000D60000-0x0000000000D78000-memory.dmp

Filesize
96KB

Download
memory/4420-54-0x00007FF945250000-0x00007FF945D11000-memory.dmp

Filesize
10.8MB

Download