Malware Analysis Report

2025-01-03 06:15

Sample ID 241121-gy7zsayrfx
Target XClient.exe
SHA256 0e24f1d56bc9acda5afb857fdb2c96ee295fd9b34efab29e95eae849367bd5de
Tags
xworm stormkitty discovery execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e24f1d56bc9acda5afb857fdb2c96ee295fd9b34efab29e95eae849367bd5de

Threat Level: Known bad

The file XClient.exe was found to be: Known bad.

Malicious Activity Summary

xworm stormkitty discovery execution persistence rat spyware stealer trojan

Xworm

StormKitty payload

Stormkitty family

Xworm family

Detect Xworm Payload

StormKitty

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 06:13

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 06:13

Reported

2024-11-21 06:16

Platform

win11-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm

trojan rat xworm

Xworm family

xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
DE 193.161.193.99:60395 afiffebri123-60395.portmap.io tcp
DE 193.161.193.99:60395 afiffebri123-60395.portmap.io tcp
DE 193.161.193.99:60395 afiffebri123-60395.portmap.io tcp
DE 193.161.193.99:60395 afiffebri123-60395.portmap.io tcp
DE 193.161.193.99:60395 afiffebri123-60395.portmap.io tcp
DE 193.161.193.99:60395 afiffebri123-60395.portmap.io tcp
DE 193.161.193.99:60395 afiffebri123-60395.portmap.io tcp
DE 193.161.193.99:60395 afiffebri123-60395.portmap.io tcp

Files

memory/1992-0-0x00007FFBBC783000-0x00007FFBBC785000-memory.dmp

memory/1992-1-0x00000000001D0000-0x00000000001FA000-memory.dmp

memory/1992-2-0x00007FFBBC780000-0x00007FFBBD242000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qyppu04.ok1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2860-11-0x000002026E170000-0x000002026E192000-memory.dmp

memory/2860-12-0x00007FFBBC780000-0x00007FFBBD242000-memory.dmp

memory/2860-13-0x00007FFBBC780000-0x00007FFBBD242000-memory.dmp

memory/2860-14-0x00007FFBBC780000-0x00007FFBBD242000-memory.dmp

memory/2860-15-0x00007FFBBC780000-0x00007FFBBD242000-memory.dmp

memory/2860-16-0x00007FFBBC780000-0x00007FFBBD242000-memory.dmp

memory/2860-19-0x00007FFBBC780000-0x00007FFBBD242000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 781da0576417bf414dc558e5a315e2be
SHA1 215451c1e370be595f1c389f587efeaa93108b4c
SHA256 41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA512 24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 21017c68eaf9461301de459f4f07e888
SHA1 41ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA256 03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512 956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

memory/1992-55-0x00007FFBBC780000-0x00007FFBBD242000-memory.dmp

memory/1992-56-0x000000001B040000-0x000000001B04C000-memory.dmp

memory/1992-57-0x000000001C610000-0x000000001C61A000-memory.dmp

memory/1992-58-0x000000001C910000-0x000000001C91A000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 9ed864b6eaabf32d1fa70cc6b0c0c39c
SHA1 7c657049d6b5dd79d1937fb33abfd8f6d58e4a9a
SHA256 0e24f1d56bc9acda5afb857fdb2c96ee295fd9b34efab29e95eae849367bd5de
SHA512 759201eaf5f4da105badbbce6a5db8c32e2c8a05a7a09ab45fdae38bc8573b1a51f5cb3633260ceb8e33cba6917bc38b13c910d76398988a532976ef2b2eba34

memory/1992-63-0x000000001C620000-0x000000001C62A000-memory.dmp

memory/1992-64-0x000000001C730000-0x000000001C73A000-memory.dmp

memory/1992-65-0x0000000002180000-0x000000000218A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

memory/1992-68-0x000000001B130000-0x000000001B250000-memory.dmp