stormkitty

General

Target

030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b.exe
Size

656KB
Sample

241106-cfvvaavqcn
MD5

ca2ed1b927f4bee1cd1f24bb19f4c0e1
SHA1

d1b7dc1cc0412301c61660d0d5cb02d20a6aa77d
SHA256

030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b
SHA512

153939e1eeaeb2e3d4fc9f487ce039fde403a18ea94466c55c53ce5e00aefa59ae3324c03687c1794c7d321da9b2dced1bca2a658d5da54e0acb76dfff4d3da7
SSDEEP

12288:cT02YrvZq2mPKxG3sfYFwJH9ZzkwGQWOsKWLCp6X9uruAK5Gi:cTbYdqfKxG3swyVk7QWOhW+p6NBAWGi

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

176.9.162.125:4060

Mutex

znPInVDrQ2IiwTWB

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Targets

- Target
  
  030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b.exe
- Size
  
  656KB
- MD5
  
  ca2ed1b927f4bee1cd1f24bb19f4c0e1
- SHA1
  
  d1b7dc1cc0412301c61660d0d5cb02d20a6aa77d
- SHA256
  
  030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b
- SHA512
  
  153939e1eeaeb2e3d4fc9f487ce039fde403a18ea94466c55c53ce5e00aefa59ae3324c03687c1794c7d321da9b2dced1bca2a658d5da54e0acb76dfff4d3da7
- SSDEEP
  
  12288:cT02YrvZq2mPKxG3sfYFwJH9ZzkwGQWOsKWLCp6X9uruAK5Gi:cTbYdqfKxG3swyVk7QWOhW+p6NBAWGi
Score

10^/10

discovery stormkitty xworm execution rat spyware stealer trojan
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  564bb0373067e1785cba7e4c24aab4bf
- SHA1
  
  7c9416a01d821b10b2eef97b80899d24014d6fc1
- SHA256
  
  7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
- SHA512
  
  22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
- SSDEEP
  
  192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL
Score

3^/10

discovery
behavioral3 behavioral4