Overview

overview

10

Static

static

3

1abb33b881...03.exe

windows7-x64

7

1abb33b881...03.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a4c1ea4b6e69e69462efa7659ff6f48c.bin

  • Size

    1.0MB

  • Sample

    241106-bypkjsvnek

  • MD5

    9d65a795388beb99ba68697f172a9d16

  • SHA1

    3f3a1d070c9a57ee1ec00f57f3cb6a42e037eb42

  • SHA256

    9cded246ef6f4abdd876e46eef68309532405c281aecb1bfa66131e2d303dfb4

  • SHA512

    3ffb7a3724ec698b0cc312c41a00d535e0f531c6e44126169f0127eb6e5df8a8d8bb56c3b672f5c058e22eca4aa20623273ef231bbfcfff51ede500f2fde87f8

  • SSDEEP

    24576:4BhfFbPyCJFCiyiXbPZS6R4SadGkSOPGA34v292ZULOJK8:4rNbPDFTLXbPZSG4LZzM2iULOJK8

Score
10/10
stormkittyxwormdiscoveryratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8895

162.230.48.189:8895
Mutex

ZRGtN7NDh24Vx89x

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803.exe

    • Size

      1.3MB

    • MD5

      a4c1ea4b6e69e69462efa7659ff6f48c

    • SHA1

      cf71024bf28f10f63bf7cd27dba64d406c2ed97c

    • SHA256

      1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803

    • SHA512

      be527013711f308bb9a0deb65b11066570e86cee896041d55556dc8566a2476bc96ab089ca155030397d95fd8d358170bc2f5b0bf97efd579dd464b1ca803507

    • SSDEEP

      24576:/84F/cDq4sTq+gdI2W+7nMS9LJf4bcwGCYVgERFh7IfEx0ECnaf:kEcyjgmkMS9L2cFCER0f+0ECna

    Score
    10/10
    discoverystormkittyxwormratstealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks