Overview

overview

10

Static

static

3

Launcher.exe

windows11-21h2-x64

10

Resubmissions

25-09-2024 14:52

240925-r8vsba1elp 10

25-09-2024 14:49

240925-r631xavbmf 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Launcher.exe

  • Size

    7.4MB

  • Sample

    240925-r8vsba1elp

  • MD5

    86e47632419e01d5a5a102ca0b9273e1

  • SHA1

    1819b64f21b0290b0610899f4d4c64f6152a3cfc

  • SHA256

    36caf389f8c2d1898c6a5b2df76b44dc5953852141b10c21ce4e8ea2db55b2b9

  • SHA512

    f4d1901dedd42716a9343168afe013c19bb983f7c3e473b1216979aef54f882214013a66b8722e79ef94ff0d50e829372c47bbd27fbf2b0f43fefc0692c8052f

  • SSDEEP

    98304:wTwedwe0xX21lEsTv9gubxzuVEXjqjvnvSboSM:wtwe0xXCWxubxzujvS8SM

Score
10/10
stormkittyxwormdiscoveryevasionexecutionpersistenceprivilege_escalationratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

89.85.183.63:928

Mutex

ImuGwJzkMH1FDK0U

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Launcher.exe

    • Size

      7.4MB

    • MD5

      86e47632419e01d5a5a102ca0b9273e1

    • SHA1

      1819b64f21b0290b0610899f4d4c64f6152a3cfc

    • SHA256

      36caf389f8c2d1898c6a5b2df76b44dc5953852141b10c21ce4e8ea2db55b2b9

    • SHA512

      f4d1901dedd42716a9343168afe013c19bb983f7c3e473b1216979aef54f882214013a66b8722e79ef94ff0d50e829372c47bbd27fbf2b0f43fefc0692c8052f

    • SSDEEP

      98304:wTwedwe0xX21lEsTv9gubxzuVEXjqjvnvSboSM:wtwe0xXCWxubxzujvS8SM

    Score
    10/10
    stormkittyxwormdiscoveryevasionexecutionpersistenceprivilege_escalationratstealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks