General
-
Target
mp.exe
-
Size
3.0MB
-
Sample
230116-ve41nsab33
-
MD5
46dfa095c035fb6ae428b79b6736ec61
-
SHA1
2e74507715b41dd418252e7fe5ef653cde28ec7b
-
SHA256
1c53568f6383e0582b599a04ca00e7a0c45222b10c05324f77338065bcfca56a
-
SHA512
28ec238af2e2c2d0618bae39379223912f56a7004189b432271c0b6d67ac2c67582092b77a0c886604da5a3ad417e99f60193cb23b5432491e46999985077ee9
-
SSDEEP
98304:38b3ngROLiNYxSLm+Vxgug+ExOfd1zUaQFl5HUM:2LiNYxSLmlug+ExO1gaaluM
Behavioral task
behavioral1
Sample
mp.exe
Resource
win7-20221111-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5638319546:AAFvVrzQnXZrhtdqKTHo6B9pak_OvkAFTMA/sendMessage?chat_id=1212163061
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
mp.exe
-
Size
3.0MB
-
MD5
46dfa095c035fb6ae428b79b6736ec61
-
SHA1
2e74507715b41dd418252e7fe5ef653cde28ec7b
-
SHA256
1c53568f6383e0582b599a04ca00e7a0c45222b10c05324f77338065bcfca56a
-
SHA512
28ec238af2e2c2d0618bae39379223912f56a7004189b432271c0b6d67ac2c67582092b77a0c886604da5a3ad417e99f60193cb23b5432491e46999985077ee9
-
SSDEEP
98304:38b3ngROLiNYxSLm+Vxgug+ExOfd1zUaQFl5HUM:2LiNYxSLmlug+ExO1gaaluM
-
StormKitty payload
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-