Overview

overview

10

Static

static

Quote_PDF.vbs

windows7_x64

10

Quote_PDF.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4782599732625408.zip

  • Size

    212KB

  • Sample

    220127-17cd1sccd7

  • MD5

    d330bdf4983312cd6a5fd631acae8b44

  • SHA1

    3c8dce8265270f9e17ee175218e943f47010a061

  • SHA256

    d6574989f310b3149c17c3e1163d0fb0b4f2fc8328bcc24035c04ea6523b7dee

  • SHA512

    92a567d4ab4ab21eade04ae7966fdaee3baf2be2709dbc99b6b4c0906d716715745a9c57aa7d441ef2f82ea099bfbc660c96a24e3bf9cd9bd5b645c8be830db2

Score
10/10
asyncratstormkittyratspywarestealer

Malware Config

Targets

    • Target

      Quote_PDF.vbs

    • Size

      444KB

    • MD5

      d9f992f8020aa3a3bf5053657ae2b4e1

    • SHA1

      04862f6295b1f63466eac99adbe9f28f678b4aab

    • SHA256

      8dba6450d3ff2ac99d519d8f75affdcbb25bf5743e265246e0bfedd60a325a28

    • SHA512

      1f632773295db7dd8a30370a66f29bbcd10485f0483b616ae6e736020d6144cb345e992cd6101da50c70ae078d79de42afd9b1b6e33fd90ced49b0e81207199a

    Score
    10/10
    asyncratstormkittyratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty Payload

    • Async RAT payload

      rat

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks