stormkitty | 4cc278ee6bcb828bf809f398e58e023099a02f7fe372d0d0a6632952b4093b4e

Reason

Machine shutdown

General

Target

XClient.exe
Size

49KB
MD5

89bc15122f16df2eb618add250990ad0
SHA1

47e459aa4ed8a83a84a4912db8a1dc61fb8a6375
SHA256

4cc278ee6bcb828bf809f398e58e023099a02f7fe372d0d0a6632952b4093b4e
SHA512

4d465eeffb4cc1f886614e35b2075a97d604fd131acba2119ff0c7c5c43e9ba90006f67334195f7c415c888b3ef8441e13e3b4890968c8d547258e2e51d5cbfb
SSDEEP

768:+WFNI2RdYFIOoUHEdc8e6akgkb1gndeaet/OtsXhMHN50w:+87nYercEdclHkb1gncFO8eH70w

Score

10^/10

stormkitty xworm discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/hMSQvtUM

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/536-54-0x000000001C490000-0x000000001C49E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/536-1-0x0000000000A30000-0x0000000000A42000-memory.dmp	family_xworm
behavioral2/files/0x000400000001da43-66.dat	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/536-14-0x0000000020DE0000-0x0000000020EFE000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	XClient.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.exe	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	XClient.exe

Loads dropped DLL 1 IoCs

pid	Process
536	XClient.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
14	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
536	XClient.exe
536	XClient.exe
536	XClient.exe
536	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
536	XClient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	XClient.exe
Token: SeDebugPrivilege	2788	XClient.exe
Token: SeShutdownPrivilege	4984	shutdown.exe
Token: SeRemoteShutdownPrivilege	4984	shutdown.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
536	XClient.exe
536	XClient.exe
536	XClient.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
536	XClient.exe
536	XClient.exe
536	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5116	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2788	536	XClient.exe	110
PID 536 wrote to memory of 2788	536	XClient.exe	110
PID 536 wrote to memory of 4984	536	XClient.exe	111
PID 536 wrote to memory of 4984	536	XClient.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\XClient.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38cb055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp87E8.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\XClient.exe

Filesize
49KB

MD5
89bc15122f16df2eb618add250990ad0

SHA1
47e459aa4ed8a83a84a4912db8a1dc61fb8a6375

SHA256
4cc278ee6bcb828bf809f398e58e023099a02f7fe372d0d0a6632952b4093b4e

SHA512
4d465eeffb4cc1f886614e35b2075a97d604fd131acba2119ff0c7c5c43e9ba90006f67334195f7c415c888b3ef8441e13e3b4890968c8d547258e2e51d5cbfb

Download Submit
memory/536-6-0x00000000011B0000-0x00000000011E6000-memory.dmp

Filesize
216KB

Download
memory/536-77-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/536-12-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/536-5-0x00000000011A0000-0x00000000011AA000-memory.dmp

Filesize
40KB

Download
memory/536-1-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/536-7-0x0000000001250000-0x000000000125A000-memory.dmp

Filesize
40KB

Download
memory/536-8-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/536-9-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/536-10-0x000000001C7C0000-0x000000001C7CA000-memory.dmp

Filesize
40KB

Download
memory/536-14-0x0000000020DE0000-0x0000000020EFE000-memory.dmp

Filesize
1.1MB

Download
memory/536-4-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/536-3-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

Filesize
8KB

Download
memory/536-11-0x000000001C440000-0x000000001C44C000-memory.dmp

Filesize
48KB

Download
memory/536-53-0x000000001C860000-0x000000001C882000-memory.dmp

Filesize
136KB

Download
memory/536-54-0x000000001C490000-0x000000001C49E000-memory.dmp

Filesize
56KB

Download
memory/536-55-0x000000001C4B0000-0x000000001C4EA000-memory.dmp

Filesize
232KB

Download
memory/536-2-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/536-60-0x000000001CC50000-0x000000001CD00000-memory.dmp

Filesize
704KB

Download
memory/536-61-0x0000000022BF0000-0x0000000023118000-memory.dmp

Filesize
5.2MB

Download
memory/536-0-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

Filesize
8KB

Download
memory/536-13-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/2788-75-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/2788-73-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors