stormkitty | 0ea39ad1a4a162efdfd1aeeb734603c2049fb91bd736907266e0e9d49f6030be | Triage

Submit
Reports

Overview

overview

Static

static

XWorm V5.6/Xworm.exe

windows7-x64

XWorm V5.6/Xworm.exe

windows10-2004-x64

Sharing

General

Target

XWorm_V5.6.rar
Size

22.9MB
Sample

241221-nv9sjaypay
MD5

3242b099c25cfa620a197bbe3c18e323
SHA1

92b2b66bb55b0aedaf6fdbee0977f0b383c85108
SHA256

0ea39ad1a4a162efdfd1aeeb734603c2049fb91bd736907266e0e9d49f6030be
SHA512

c7d9c8675ea09f64a22cb94d6cde6e164a06f176b4c2d64d3da1fe725e1d60d57d43951eaa63789eddfb34739aab46c76834cd80063d3ecfb94266db3671e146
SSDEEP

393216:DxcLoXUnYnrdLVsgP5JgQ0DJYxvx6N2Etg8j7c3nl7LuRI:rEnurdSgcQ0DJ+LEqh3nlnF

Score

10^/10

stormkitty xworm execution rat trojan

Static task

static1

stormkitty xworm

7 signatures

Behavioral task

behavioral1

Sample

XWorm V5.6/Xworm.exe

Resource

win7-20240903-en

xworm execution rat trojan

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

XWorm V5.6/Xworm.exe

Resource

win10v2004-20241007-en

xworm execution rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

MXofXDDvLooD2jWq

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  XWorm V5.6/Xworm.exe
- Size
  
  8.1MB
- MD5
  
  09a9589689f2e0f5697d413cca4e227b
- SHA1
  
  2cb33d48a4b39c9304cbd8395a9a89074f8c14e2
- SHA256
  
  d0a2637c7f1fe073e613d607da3ada027123c75194ebdf528734d8b48e808a8d
- SHA512
  
  2c2494736c9fcd1a3d3b10e77c1af1ad60595d82897f7d82236f64b51d8bb46d8d723764fded8b3d94c68c43beb9c9e0c4c4a9c1d09603b46d56011f13b8e62f
- SSDEEP
  
  196608:wQJFUQqPn9x5pJPU/Vp4uDubMUxOQZyl5pFfeYUkZV:PMF9JPUtp4uDubMc1ZylRf5
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Uses the VBS compiler for execution
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

stormkittyxworm

behavioral1

xwormexecutionrattrojan

behavioral2

xwormexecutionrattrojan

© 2018-2024

Terms | Privacy