stormkitty | 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357 | Triage

Submit
Reports

Overview

overview

Static

static

3

1b99f0bf92...92.exe

windows7-x64

1b99f0bf92...92.exe

windows10-2004-x64

Sharing

General

Target

1b99f0bf9216a89b8320e63cbd18a292.exe
Size

1.3MB
Sample

241016-19mmrszckm
MD5

1b99f0bf9216a89b8320e63cbd18a292
SHA1

6a199cb43cb4f808183918ddb6eadc760f7cb680
SHA256

5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
SHA512

02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382
SSDEEP

24576:J64p16BppRskYGC/cJUE7P6nxhpBaTn+CC6YtGz:JzpEBrRb4MonrpATDcUz

Score

10^/10

stormkitty xworm discovery persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1b99f0bf9216a89b8320e63cbd18a292.exe

Resource

win7-20240903-en

stormkitty xworm discovery persistence rat spyware stealer trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

1b99f0bf9216a89b8320e63cbd18a292.exe

Resource

win10v2004-20241007-en

stormkitty xworm discovery persistence rat spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

104.219.239.11:6969

Mutex

QMHDjhLW52nOcp4a

Attributes

Install_directory
%AppData%
install_file
OneDrive.exe
telegram
https://api.telegram.org/bot5372344229:AAEM46DF5hWBLPbN5UErJaoJvlNvm-ZJXyg

aes.plain

Targets

- Target
  
  1b99f0bf9216a89b8320e63cbd18a292.exe
- Size
  
  1.3MB
- MD5
  
  1b99f0bf9216a89b8320e63cbd18a292
- SHA1
  
  6a199cb43cb4f808183918ddb6eadc760f7cb680
- SHA256
  
  5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
- SHA512
  
  02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382
- SSDEEP
  
  24576:J64p16BppRskYGC/cJUE7P6nxhpBaTn+CC6YtGz:JzpEBrRb4MonrpATDcUz
Score

10^/10

stormkitty xworm discovery persistence rat spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

stormkittyxwormdiscoverypersistenceratspywarestealertrojan

behavioral2

stormkittyxwormdiscoverypersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy