General

  • Target

    24032025_0658_Kfboa.exe.iso

  • Size

    58KB

  • Sample

    250324-hxknjasths

  • MD5

    53a6902d0d88b18792e10500ad5e6a1d

  • SHA1

    a33e872c8361f44ffebf30f60d691942191a2c76

  • SHA256

    e3ff20fc55412a7f64bc0e079a7c4ccab038fef613010a251133c1192fc81cf6

  • SHA512

    216fa17cd6f0962690fcc3375793cb8d19d72f5f8323e698ec34590c7eb009038deafd215e5150966fc9b03feabd0d3ffd97bc427a7f0e5f846f86ad58b2da06

  • SSDEEP

    96:5+0aB2VVxmwnavYFyj3tuDeFHxtNxC4zNt:qB2nxdXFy37VxYa

Malware Config

Extracted

Family

xworm

Version

5.0

C2

bin12.ydns.eu:4050

bin14.ydns.eu:4050

kingsbkup1.ydns.eu:4050

smfcs1.ydns.eu:4050

smfcs3.ydns.eu:4050

Mutex

eFgRwYcigKCR8e0p

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Kfboa.exe

    • Size

      6KB

    • MD5

      ceba7570864bdd6c2dfe5e11fa5625ea

    • SHA1

      38033ecf6350e2e7dc49914b64886818ee18e6c8

    • SHA256

      b5d47c5e81250db93f2d48269950223bce5495e24bb4fc08c00e57a49810a76b

    • SHA512

      7728f905c0606e437a5f3be25682f69aec207f0269ff5715978810029de9907872153f6a944b9634a3f0928e0d7b1878541d906cb29a50effc7edc5f3e7ff4c6

    • SSDEEP

      96:s0aB2VVxmwnavYFyj3tuDeFHxtNxC4zNt:KB2nxdXFy37VxYa

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks