General
-
Target
XClient.exe
-
Size
68KB
-
Sample
250104-hz38nazrhq
-
MD5
68604d1b2200493d620fbb9e70c3b182
-
SHA1
dbffc3b9a4935f31120bd623849175c3072f748e
-
SHA256
34e19eff1a2abfbcec9af157d91af7c502ec0f5cce0b58bb49b7a4c7a23d6f45
-
SHA512
1f3f15895dc2b9ac282554d99ea7a7daa44ecd7c0c655c84851200c95b51e1a4688b4690f94a75343b1cbfa838f1aa3e975f4da329782e71436a9a8000d4e19d
-
SSDEEP
1536:6RgdNcKAE/LQXYd4AnLv5DKA7VHg4kbzmWZf/kxTYSbFcAzOthYV:6wyoEXW4alxBkbzVapFbFrzOtCV
Malware Config
Extracted
xworm
127.0.0.1:57562
kind-lap.gl.at.ply.gg:57562
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
XClient.exe
-
Size
68KB
-
MD5
68604d1b2200493d620fbb9e70c3b182
-
SHA1
dbffc3b9a4935f31120bd623849175c3072f748e
-
SHA256
34e19eff1a2abfbcec9af157d91af7c502ec0f5cce0b58bb49b7a4c7a23d6f45
-
SHA512
1f3f15895dc2b9ac282554d99ea7a7daa44ecd7c0c655c84851200c95b51e1a4688b4690f94a75343b1cbfa838f1aa3e975f4da329782e71436a9a8000d4e19d
-
SSDEEP
1536:6RgdNcKAE/LQXYd4AnLv5DKA7VHg4kbzmWZf/kxTYSbFcAzOthYV:6wyoEXW4alxBkbzVapFbFrzOtCV
Score10/10-
Detect Xworm Payload
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Stormkitty family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1