Overview

overview

10

Static

static

10

XWorm-5.6-main.zip

windows10-ltsc 2021-x64

10

XWorm-5.6-main.zip

windows11-21h2-x64

1

Resubmissions

30-12-2024 14:26

241230-rsar7sxkhl 10

30-12-2024 14:22

241230-rp3ntaxkdj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm-5.6-main.zip

  • Size

    25.1MB

  • Sample

    241230-rsar7sxkhl

  • MD5

    95c1c4a3673071e05814af8b2a138be4

  • SHA1

    4c08b79195e0ff13b63cfb0e815a09dc426ac340

  • SHA256

    7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

  • SHA512

    339a47ecfc6d403beb55d51128164a520c4bea63733be3cfd47aec47953fbf2792aa4e150f4122994a7620122b0e0fc20c1eeb2f9697cf5578df08426820fecd

  • SSDEEP

    786432:Ty5jMDNnx2+4NYobtH8VVtKqi9+i514XZ/pjYlp0:MMDNnxV4iobxibiIi5MpjYv0

Score
10/10
stormkittyxwormdiscoveryevasionexecutionratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

dTR2ZtpIMaHfOX7E

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • install_file

    USB.exe

Targets

    • Target

      XWorm-5.6-main.zip

    • Size

      25.1MB

    • MD5

      95c1c4a3673071e05814af8b2a138be4

    • SHA1

      4c08b79195e0ff13b63cfb0e815a09dc426ac340

    • SHA256

      7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

    • SHA512

      339a47ecfc6d403beb55d51128164a520c4bea63733be3cfd47aec47953fbf2792aa4e150f4122994a7620122b0e0fc20c1eeb2f9697cf5578df08426820fecd

    • SSDEEP

      786432:Ty5jMDNnx2+4NYobtH8VVtKqi9+i514XZ/pjYlp0:MMDNnxV4iobxibiIi5MpjYv0

    Score
    10/10
    stormkittyxwormdiscoveryevasionexecutionratstealertrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • UAC bypass

      evasiontrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks