stormkitty | e1273e480ea564ccc1d037c9f47ee5a378aec0d196f434a3d99b687f547a83a9

Analysis

max time kernel
139s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df.exe
Size

58KB
MD5

b194de4adb59afb5c4392f8a56fe25c0
SHA1

1f482bea8edc37c763901923d11adeda24946057
SHA256

e1273e480ea564ccc1d037c9f47ee5a378aec0d196f434a3d99b687f547a83a9
SHA512

687674f8f300c9352f8a35030307f433672749163cf43caece8bb7b46d3af9c22f9a93ff93b0c0e6fd74bbe4277527e9ffae10e581cf0b2551078d05521d49f8
SSDEEP

768:Hv8jto5Hcw3xwKFYwqNxghTaFjMYnGLppEzJL5Ykbo8fBuzfAUkBvmL8QnhUcAVJ:HgFyT/nENMHLTUJmkbNfYTAB3POvDE

Score

10^/10

stormkitty xworm discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

147.185.221.16:40164

147.185.221.20:40164

Attributes

install_file
System Volume Information Prefetch.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2732-1-0x0000000000A40000-0x0000000000A54000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2732-5-0x000000001DAA0000-0x000000001DBBE000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2628	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	df.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2488	2732	df.exe	98
PID 2732 wrote to memory of 2488	2732	df.exe	98
PID 2488 wrote to memory of 2628	2488	cmd.exe	100
PID 2488 wrote to memory of 2628	2488	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\df.exe
"C:\Users\Admin\AppData\Local\Temp\df.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2D41.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2D41.tmp.bat

Filesize
154B

MD5
4be7c2737693ca715d3b3e0bd63f2595

SHA1
49db00759ec7d3a9689d62591bc1aa34c80f8387

SHA256
a7ccd81a70e93fb4409c47abdf6ee28572aa858d807d0481c88630aa8deac72d

SHA512
bbb9c0b712362c85a9672501f3e0d2c60da4c04ba6b74fac88f2d84b215f462fa843b905cb7a1ce0270aa1ac407607fec666a71646d52e5641344b442d26cdbd

Download Submit
memory/2732-1-0x0000000000A40000-0x0000000000A54000-memory.dmp

Filesize
80KB

Download
memory/2732-0-0x00007FFE84C83000-0x00007FFE84C85000-memory.dmp

Filesize
8KB

Download
memory/2732-2-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/2732-3-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download
memory/2732-4-0x000000001D750000-0x000000001DAA0000-memory.dmp

Filesize
3.3MB

Download
memory/2732-5-0x000000001DAA0000-0x000000001DBBE000-memory.dmp

Filesize
1.1MB

Download
memory/2732-44-0x000000001DDC0000-0x000000001DDE2000-memory.dmp

Filesize
136KB

Download
memory/2732-49-0x00007FFE84C80000-0x00007FFE85741000-memory.dmp

Filesize
10.8MB

Download