Extracted

• • Target

    adb457a925a23c0051ac0f18ad7fdb8e2c64302d15d0077cc3182c7f74257994N

  • Size

    67KB

  • MD5

    cc64308d86b707f3fc9eda4630eb85f0

  • SHA1

    783f4cd9bfadb5c561b177f30b1cd18211a08c04

  • SHA256

    adb457a925a23c0051ac0f18ad7fdb8e2c64302d15d0077cc3182c7f74257994

  • SHA512

    0da4a99489c61a2d4ae1bd098f7c3039111b36d26f24ed66e514691b1f2cd1905f71cdbb1437cc39d9d7e55820a12fa082e2dc6bc088a8dbcb9d0bc3d3e77c76

  • SSDEEP

    768:ZyH6ce2zT+BEEm/Dm4zO7iYoCGSbc+hTYGEQKQbjA7kkHi3e6VRA6+ZgIYOShWZ/:Iac/Ji7noCGutRbjA7kkSq6+6IYOSX+

  Score

  10^/10

  stormkittyxwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2