stormkitty | 987af5ed785a0c412b8c4f829df902e82e62e21917aa7abdcc0d825b4a463c67 | Triage

Submit
Reports

Overview

overview

Static

static

XWorm-5.6.rar

windows10-2004-x64

Sharing

General

Target

XWorm-5.6.rar
Size

21.5MB
Sample

250131-xv6wbatrgv
MD5

4f57637d0aa8ed0d3055802c3a90a58d
SHA1

c8b298c0edea336ee4710a3c1da5cc7bce7467cf
SHA256

987af5ed785a0c412b8c4f829df902e82e62e21917aa7abdcc0d825b4a463c67
SHA512

5d7fae098076531f1af3447d03cfc1909cdc00cd3757132bee7d8ccb1b84d1e57d1c11066afa70c2d102fbcc5233a7e43c2ff017dc67a2cf7591a923032d54f7
SSDEEP

393216:D+N2F6y80fxdY24Xhf7QUECurlXcphU4SwUKidjxOfvP5AXyaLe39neZ:D+Nj6x+TlEUEhIXSwUbdF6pEyJ3UZ

Score

10^/10

stormkitty xworm discovery execution persistence rat trojan

Static task

static1

stormkitty xworm

6 signatures

Behavioral task

behavioral1

Sample

XWorm-5.6.rar

Resource

win10v2004-20250129-it

xworm discovery execution persistence rat trojan

windows10-2004-x64

34 signatures

900 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

nLSqvR2HzHu0i6ed

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

C2

127.0.0.1:42576

person-mustang.gl.at.ply.gg:42576

Attributes

Install_directory
%AppData%
install_file
XXX.exe

Targets

- Target
  
  XWorm-5.6.rar
- Size
  
  21.5MB
- MD5
  
  4f57637d0aa8ed0d3055802c3a90a58d
- SHA1
  
  c8b298c0edea336ee4710a3c1da5cc7bce7467cf
- SHA256
  
  987af5ed785a0c412b8c4f829df902e82e62e21917aa7abdcc0d825b4a463c67
- SHA512
  
  5d7fae098076531f1af3447d03cfc1909cdc00cd3757132bee7d8ccb1b84d1e57d1c11066afa70c2d102fbcc5233a7e43c2ff017dc67a2cf7591a923032d54f7
- SSDEEP
  
  393216:D+N2F6y80fxdY24Xhf7QUECurlXcphU4SwUKidjxOfvP5AXyaLe39neZ:D+Nj6x+TlEUEhIXSwUbdF6pEyJ3UZ
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

stormkittyxworm

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy