Extracted

• • Target

    Multitool V1.exe

  • Size

    307KB

  • MD5

    520f8ed0d73dbc6540fc80ac0c3847e1

  • SHA1

    81476c36b9ea1b6d18864b90310eb95ec20e5475

  • SHA256

    b148b01f921c8ee6aab7c5cb0b27b494f7ff5632f5a7dd2cbd1ccf206a5eb1ba

  • SHA512

    0981f5323101a214f1ee6e57f5d10b2136213ef88b4b44e1bd769114734679c2439f6338df585712137ef01684cc7b2658a3820f79da0b196c2e7a11bb06b2e4

  • SSDEEP

    6144:aMCOuWBJL5pt0UA8yTHsRRs6kkU7ezfQE62e3goypHp/3EvCcp3yVaG:aMCOucJL5pEDkU7Me3gpQTyVaG

  Score

  10^/10

  stormkittyxwormdefense_evasiondiscoveryratstealertrojancollectionpersistenceprivilege_escalationspyware

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  behavioral1behavioral2