stormkitty

Sharing

Copy URL

Twitter E-mail

General

Target

Lunar Build.zip
Size

10.5MB
Sample

250201-evjrnsskdv
MD5

90f3fa6aaf38ed3092bad5366811d9ed
SHA1

7c45839a65c1ac12ba49c356ed895c48297cad00
SHA256

b90e54d017db7910b3f435788efc3abe642c50d688d0af336dfd494e92c999ee
SHA512

0e1e470674f018f493d449864d99e059dee024e041eab69239ce3482a3a7999b2141d3581566c68caf750a45871dc46f412a051764e86f43e626ca718ff8dd2b
SSDEEP

196608:ZRZM0qq6MGP2BWZWf47WqqTlzEzGNJ+pwEaDVUlzIbWbtM1PacLcTBk1F/1L:X3qq6pKWZMmQXN+w4IbT1PaybV

Score

10^/10

Malware Config

Extracted

Family

xworm

wednesday-super.gl.at.ply.gg:43058

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Targets

- Target
  
  Lunar/Lunar.exe
- Size
  
  72KB
- MD5
  
  230c8755f07c7435a396b0bd7c67875d
- SHA1
  
  7b504b5e0d0510f7a7a4a4a082b0b9d65c621290
- SHA256
  
  1dec7dd312e325e5b09d3a40177019e26bbd65e01e5fad2aa28ef321680e0c79
- SHA512
  
  2c92b7d63d15b698eeaf0b74ac76bb9e77ea04248098942562a42276e693d766be01b325cf028470cfa6754f4106eb067aae22051f843025172956522e40eb25
- SSDEEP
  
  1536:bzQnNDLbptSsWtiskU3kM3GkbdY60uPp6sSyPnOs5oLbJ/Nht:b87xW83okvkbd5tPOs5EbJbt
Score

10^/10

xworm execution rat trojan stormkitty discovery persistence spyware stealer
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  Lunar/Microsoft.Web.WebView2.Core.dll
- Size
  
  557KB
- MD5
  
  b037ca44fd19b8eedb6d5b9de3e48469
- SHA1
  
  1f328389c62cf673b3de97e1869c139d2543494e
- SHA256
  
  11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197
- SHA512
  
  fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b
- SSDEEP
  
  12288:6CxswUBor35JrpQ322zy+uFKcDoRFNCMmeA+imQ269pRFZNIEJdIEY0lxEIPrEIE:6Cbmv
Score

1^/10
behavioral3 behavioral4
- Target
  
  Lunar/Microsoft.Web.WebView2.WinForms.dll
- Size
  
  37KB
- MD5
  
  c7000faa6c6040188c8cd8ef28b6deda
- SHA1
  
  07a23c50092e5c1fd9c9df87e26b65df25d37b24
- SHA256
  
  e4f695b72f99024e3ee5d5f26a367e664f4e120bd5d90aa87a8bc0509c365ec8
- SHA512
  
  eaee01031477454823974546055965df8d75c5115b25ab07b15ca608a20e8c21154ebb8c707a74213ebad04c2bf34a5f5563306e6da502235372c60672144022
- SSDEEP
  
  768:sijOv/1uokD/iyUdcIJtYZDgcEST3p4Jjrjh2jJFSUyauTv1JKia5/Zi/WGQK4uC:jOvZyUjJtYZDgcEST3p4JjrjaJFSUyaf
Score

1^/10
behavioral5 behavioral6
- Target
  
  Lunar/Microsoft.Web.WebView2.Wpf.dll
- Size
  
  50KB
- MD5
  
  e107c88a6fc54cc3ceb4d85768374074
- SHA1
  
  a8d89ae75880f4fca7d7167fae23ac0d95e3d5f6
- SHA256
  
  8f821f0c818f8d817b82f76c25f90fde9fb73ff1ae99c3df3eaf2b955653c9c8
- SHA512
  
  b39e07b0c614a0fa88afb1f3b0d9bb9ba9c932e2b30899002008220ccf1acb0f018d5414aee64d92222c2c39f3ffe2c0ad2d9962d23aaa4bf5750c12c7f3e6fe
- SSDEEP
  
  1536:fpGqPvHCwKi8GDP/ryEH0GBy4JjrD1alhWU6Ozk1FKKa5/Bi/xGCv0Z0D6TgfPSF:ai8GDP/b0GBy4JjrD1alhWU6Ozk1FKKc
Score

1^/10
behavioral7 behavioral8
- Target
  
  Lunar/Monaco/combined.html
- Size
  
  14KB
- MD5
  
  3542797d8d54290270475aa7c72f2128
- SHA1
  
  e26fbeef4748fed6c7d813b201e495f318fa7222
- SHA256
  
  028cfa18b2c42a9bc5346292e3dcecd14a78d523daaf7624566de4c8aeed87c2
- SHA512
  
  31b0b05a865d269b0d363f82a9aa2de0e40e695d78c34200c97e4ebb885cda97406b4c3a850db70bf8a208171ad4da23884fd5d8094de2a15196d4700c679256
- SSDEEP
  
  384:t5TLSQmfElKNihTQRA5L1thbVBJj1BX+BILnoamLR7:9oihTzthbVBJ3OyboamLR7
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Lunar/Monaco/index.html
- Size
  
  14KB
- MD5
  
  610eb8cecd447fcf97c242720d32b6bd
- SHA1
  
  4b094388e0e5135e29c49ce42ff2aa099b7f2d43
- SHA256
  
  107d8d9d6c94d2a86ac5af4b4cec43d959c2e44d445017fea59e2e0a5efafdc7
- SHA512
  
  cf15f49ef3ae578a5f725e24bdde86c33bbc4fd30a6eb885729fd3d9b151a4b13822fa8c35d3e0345ec43d567a246111764812596fd0ecc36582b8ee2a76c331
- SSDEEP
  
  384:HTLSQmfElKNihTQRA5L1thbVBJj1BX+BILnoamLR7:BoihTzthbVBJ3OyboamLR7
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Lunar/Monaco/vs/basic-languages/lua/lua.js
- Size
  
  5KB
- MD5
  
  8706d861294e09a1f2f7e63d19e5fcb7
- SHA1
  
  fa5f4bdc6c2f1728f65c41fb5c539211a24b6f23
- SHA256
  
  fc2d6fb52a524a56cd8ac53bfe4bad733f246e76dc73cbec4c61be32d282ac42
- SHA512
  
  1f9297eb4392db612630f824069afdc9d49259aba6361fb0b87372123ada067bc27d10d0623dc1eb7494da55c82840c5521f6fef74c1ada3b0fd801755234f1f
- SSDEEP
  
  96:SD3yDUfRD5dyVdO29SvE/TMCL8CvcOAtOfxSVkxMZlMfE:nD4Ldyn7Ss/TMmUtOfxhxjE
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  Lunar/Monaco/vs/editor/editor.main.js
- Size
  
  2.0MB
- MD5
  
  9399a8eaa741d04b0ae6566a5ebb8106
- SHA1
  
  5646a9d35b773d784ad914417ed861c5cba45e31
- SHA256
  
  93d28520c07fbca09e20886087f28797bb7bd0e6cf77400153aab5ae67e3ce18
- SHA512
  
  d37ef5a848e371f7db9616a4bf8b5347449abb3e244a5527396756791583cad455802450ceeb88dce39642c47aceaf2be6b95bede23b9ed68b5d4b7b9022b9c8
- SSDEEP
  
  24576:SmmBNDw4gCXJkB4nIg2IxhbaeZYIMsNjvit4f:wDw4gCXJk62+aeKIMsNjvit4f
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  Lunar/Monaco/vs/editor/editor.main.nls.js
- Size
  
  31KB
- MD5
  
  74dd2381ddbb5af80ce28aefed3068fc
- SHA1
  
  0996dc91842ab20387e08a46f3807a3f77958902
- SHA256
  
  fdd9d64ce5284373d1541528d15e2aa8aa3a4adc11b51b3d71d3a3953f8bcc48
- SHA512
  
  8841e0823905cf3168f388a7aeaf5edd32d44902035ba2078202193354caf8cd74cb4cab920e455404575739f35e19ea5f3d88eab012c4ebefc0ccb1ed19a46e
- SSDEEP
  
  384:h03CdtOurX25WyV1Vdf40CJjocZC6F7PKUvRjAaswHq9x3H6Sg4NFVlQlUDZpLjb:23mmysb1zVes3pxCSgwgwjhb
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  Lunar/Monaco/vs/loader.js
- Size
  
  27KB
- MD5
  
  8a3086f6c6298f986bda09080dd003b1
- SHA1
  
  8c7d41c586bfa015fb5cc50a2fdc547711b57c3c
- SHA256
  
  0512d9ed3e5bb3daef94aa5c16a6c3e2ee26ffed9de00d1434ffe46a027b16b9
- SHA512
  
  9e586742f4e19938132e41145deec584a7b8c7e111b3c6e9254f8d11db632ebe4d66898458ed7bcfc0614d06e20eb33d5a6a8eb8b32d91110557255cf1dbf017
- SSDEEP
  
  768:3J6C/c2x0cAu57XQxJRDRi+R/TvrCv3zM2GRl0VEj:Z6grH7qTXRvmDI
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  Lunar/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  195ffb7167db3219b217c4fd439eedd6
- SHA1
  
  1e76e6099570ede620b76ed47cf8d03a936d49f8
- SHA256
  
  e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
- SHA512
  
  56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
- SSDEEP
  
  12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score

1^/10
behavioral21 behavioral22
- Target
  
  Lunar/WebView2Loader.dll
- Size
  
  133KB
- MD5
  
  a0bd0d1a66e7c7f1d97aedecdafb933f
- SHA1
  
  dd109ac34beb8289030e4ec0a026297b793f64a3
- SHA256
  
  79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
- SHA512
  
  2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50
- SSDEEP
  
  3072:e5i6Uab3sFhPk6vEmG1PU6dLXm2ng3esQDqEt2JljdTu:e5P2e6vERtUyTmHEtmI
Score

1^/10
behavioral23 behavioral24
- Target
  
  Lunar/Wpf.Ui.dll
- Size
  
  5.2MB
- MD5
  
  aead90ab96e2853f59be27c4ec1e4853
- SHA1
  
  43cdedde26488d3209e17efff9a51e1f944eb35f
- SHA256
  
  46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
- SHA512
  
  f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d
- SSDEEP
  
  98304:Com1p/B6MvSmaRI+VcDNkq4pmvhAHDfyyrhl:W1HZNkq4p
Score

1^/10
behavioral25 behavioral26
- Target
  
  Lunar/vcruntime140.dll
- Size
  
  99KB
- MD5
  
  7a2b8cfcd543f6e4ebca43162b67d610
- SHA1
  
  c1c45a326249bf0ccd2be2fbd412f1a62fb67024
- SHA256
  
  7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
- SHA512
  
  e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8
- SSDEEP
  
  1536:sC6b39cL/iRDhXq4GZLAy10i5XNC83tTPw98APXbxecbSQ25I4I/Cq:sVPphXq30yvXL5APbxecbSDu
Score

1^/10
behavioral27 behavioral28
- Target
  
  Lunar/zlib.dll
- Size
  
  663KB
- MD5
  
  c5b29a2e334961e9dee00ab4726392e3
- SHA1
  
  8f2043d03d0ff96a27cfce297f594afa87e79f2e
- SHA256
  
  57d27814f4d95618584d26c8e37418b9dfe3f28423de6265f4c17de7948e69b9
- SHA512
  
  0393b0506ada43f7f7978c2f81da62521b3c0a43d04242676002da755bc51ea144047891b6ff3796e89b4079360ffb245793fed67e3741b4c3884cd48973a63f
- SSDEEP
  
  12288:v0QF8ngPoGTct1aGQBJ4yysYZ22yViIwhOQF/tU/yfcqit5cJGBTcW14O/:vifUsyurO3cYTcS/
Score

1^/10
behavioral29 behavioral30
- Target
  
  Lunar/zlib1.dll
- Size
  
  113KB
- MD5
  
  75365924730b0b2c1a6ee9028ef07685
- SHA1
  
  a10687c37deb2ce5422140b541a64ac15534250f
- SHA256
  
  945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b
- SHA512
  
  c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1
- SSDEEP
  
  3072:wsuxy/bjdeT1dtDCV8SSsfj7cTpHTBfQjxcHE2Fl:wsZ/bRe5PDCV8SLfcFTBIjxyE2Fl
Score

1^/10
behavioral31 behavioral32