stormkitty | 6b66904ae1929991852392fe2d578712738799cdd82539507d714f536eb8e0ed | Triage

Submit
Reports

Overview

overview

Static

static

Xworm.V6.0.zip

windows7-x64

1

Xworm.V6.0.zip

windows10-2004-x64

Sharing

General

Target

Xworm.V6.0.zip
Size

28.7MB
Sample

241129-ej8xeszlgm
MD5

ce625cf1e3e25d470c2e7a298409dab2
SHA1

94f465e9baa3099c2a7b8e5d30e8fc481b0b41a3
SHA256

6b66904ae1929991852392fe2d578712738799cdd82539507d714f536eb8e0ed
SHA512

0ac55745455542d68be326f5e5d48131da093ba47c24cfd06c2be0f3f0651219bf692b3fed5ac62cd16a191c0f7852b73ef8bc709f344eb3b36948b44bc3a480
SSDEEP

786432:OHqaRtCZZfm0+lGmlNinnXEDggGiO72vAgbHGaG:OHqytCO0+lF0hgGZNgbHGp

Score

10^/10

stormkitty xworm execution persistence rat trojan

Static task

static1

stormkitty xworm

6 signatures

Behavioral task

behavioral1

Sample

Xworm.V6.0.zip

Resource

win7-20240708-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

Xworm.V6.0.zip

Resource

win10v2004-20241007-en

xworm execution persistence rat trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

EEarXqazEvX73BCq

Attributes

Install_directory
%AppData%
install_file
Chrome Update.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

aes.plain

aes.plain

Targets

- Target
  
  Xworm.V6.0.zip
- Size
  
  28.7MB
- MD5
  
  ce625cf1e3e25d470c2e7a298409dab2
- SHA1
  
  94f465e9baa3099c2a7b8e5d30e8fc481b0b41a3
- SHA256
  
  6b66904ae1929991852392fe2d578712738799cdd82539507d714f536eb8e0ed
- SHA512
  
  0ac55745455542d68be326f5e5d48131da093ba47c24cfd06c2be0f3f0651219bf692b3fed5ac62cd16a191c0f7852b73ef8bc709f344eb3b36948b44bc3a480
- SSDEEP
  
  786432:OHqaRtCZZfm0+lGmlNinnXEDggGiO72vAgbHGaG:OHqytCO0+lF0hgGZNgbHGp
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

stormkittyxworm

behavioral1

behavioral2

xwormexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy