Extracted

• • Target

    XClient.exe

  • Size

    67KB

  • MD5

    ffbe1acaec731d7fda8142989cb99a0c

  • SHA1

    9e8a000b2b4d0cbaf9f8d13617ea07a9835e6be1

  • SHA256

    6f070fdfdc407657d16d472287c8ff09d1fd8f88809f22900d0f653c44dad902

  • SHA512

    59ae69b4d453e1eddd5b5f60f4d5a36c97d800921f52fb7a593bd8a11c10df6ecf68566c0dcf6104006ffad4e511a393e451cc1786ad685798e3a13290764d8b

  • SSDEEP

    1536:IuRy6zO50TAeiE74Py9czZDz+bQyRfokO2iOlKGbFrO1Ma:w1jxacV+bQyS2i0NO1/

  Score

  10^/10

  stormkittyxwormdefense_evasiondiscoveryevasionexecutionransomwareratspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • Modifies Windows Defender Real-time Protection settings

    defense_evasiontrojan

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1