Extracted

• • Target

    XCli1ent.exe

  • Size

    36KB

  • MD5

    3d8ec94b7dcfaf52bb472918378b49a3

  • SHA1

    f868a911a25973f330ec2b56e50a746e6f32b14d

  • SHA256

    0e2ec9b0d60ba6bfc32a86dce7ed5e60d67fb142d4d14bb4a11956fe8b19d7d9

  • SHA512

    a57ac00fdc6377469d3a95bdc2715e68ca408aecf8b7e46444f401f8d93e787a5c1485886109f833b9771d07e9866610e808ba756167f55eef13750ff81f59d7

  • SSDEEP

    768:DeVXtHcDQZS9rc50UZmx/F89RF6OOMh6QJP:D8dH+o51OF89RF6OOMQy

  Score

  10^/10

  xwormexecutionrattrojanstormkittydiscoverypersistencespywarestealer

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops file in Drivers directory

  • Manipulates Digital Signatures

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Boot or Logon Autostart Execution: Print Processors

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops file in System32 directory

  • Modifies termsrv.dll

    Commonly used to allow simultaneous RDP sessions.

  behavioral1behavioral2