stormkitty | c03c2ec5ef0958a61a913e2bfb80a420a030f579858cc203b3d2bc3b938400cd | Triage

Submit
Reports

Overview

overview

Static

static

XWorm.rar

windows11-21h2-x64

Sharing

General

Target

XWorm.rar
Size

59.1MB
Sample

241118-gndyysvngj
MD5

6ec728dd292a8e1f39cd6baea415ff66
SHA1

e1103f0af9d27f5c56667d98a36dd40ab5ec8392
SHA256

c03c2ec5ef0958a61a913e2bfb80a420a030f579858cc203b3d2bc3b938400cd
SHA512

ffc584bfb586e7c123f5e7c153fd9e9187e7010e7b4bce9ae590c05961bbbfa46b4c2f25ded830626e30aea919cec31f7026ccf699510f8cccb1921507829a40
SSDEEP

1572864:c3UGEBh79oS6ea3nG8zWxYKClanZV79oS6eaqAHRvr:QEBhxb6eaxixDnZVxb6eaFJ

Score

10^/10

stormkitty xworm agilenet discovery persistence phishing rat trojan

Static task

static1

agilenet stormkitty

5 signatures

Behavioral task

behavioral1

Sample

XWorm.rar

Resource

win11-20241007-en

xworm agilenet discovery persistence phishing rat trojan

windows11-21h2-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7777

h-asset.gl.at.ply.gg:7777

Mutex

lEKFfsS3mf7zGun2

Attributes

Install_directory
%LocalAppData%
install_file
RobloxBud.exe

aes.plain

Targets

- Target
  
  XWorm.rar
- Size
  
  59.1MB
- MD5
  
  6ec728dd292a8e1f39cd6baea415ff66
- SHA1
  
  e1103f0af9d27f5c56667d98a36dd40ab5ec8392
- SHA256
  
  c03c2ec5ef0958a61a913e2bfb80a420a030f579858cc203b3d2bc3b938400cd
- SHA512
  
  ffc584bfb586e7c123f5e7c153fd9e9187e7010e7b4bce9ae590c05961bbbfa46b4c2f25ded830626e30aea919cec31f7026ccf699510f8cccb1921507829a40
- SSDEEP
  
  1572864:c3UGEBh79oS6ea3nG8zWxYKClanZV79oS6eaqAHRvr:QEBhxb6eaxixDnZVxb6eaFJ
Score

10^/10

xworm agilenet discovery persistence phishing rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

agilenetstormkitty

behavioral1

xwormagilenetdiscoverypersistencephishingrattrojan

© 2018-2024

Terms | Privacy