General
-
Target
2023lk1601.doc
-
Size
113KB
-
Sample
230116-vejdzaea7x
-
MD5
28527cc18896bf1aa7cd70f4f332e075
-
SHA1
802646cc50089f135f1d404fbfb4d0018d2f9dde
-
SHA256
e22bbf947e8edf9c8df9e8fe8cf7101c271d29c0c68e3539acb21a7d17253f68
-
SHA512
32a41d37afdf68e642097a55ce058399dd56d285452248581f69654afa3e96aa7cec047fbedc29101a257c9b97c1cab6584489bd53713db9c75311e0b7529092
-
SSDEEP
3072:XEURH783Vz1KXvt2IVrBBQzCtZPO1pwMNm:XEU97kVZKXvt2IVrdtSqMNm
Static task
static1
Behavioral task
behavioral1
Sample
2023lk1601.rtf
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2023lk1601.rtf
Resource
win10v2004-20221111-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5980420064:AAHGrlOU2WsgF90Pcyz-L7wrGgC_Cj54k4Q/sendMessage?chat_id=806259874
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
2023lk1601.doc
-
Size
113KB
-
MD5
28527cc18896bf1aa7cd70f4f332e075
-
SHA1
802646cc50089f135f1d404fbfb4d0018d2f9dde
-
SHA256
e22bbf947e8edf9c8df9e8fe8cf7101c271d29c0c68e3539acb21a7d17253f68
-
SHA512
32a41d37afdf68e642097a55ce058399dd56d285452248581f69654afa3e96aa7cec047fbedc29101a257c9b97c1cab6584489bd53713db9c75311e0b7529092
-
SSDEEP
3072:XEURH783Vz1KXvt2IVrBBQzCtZPO1pwMNm:XEU97kVZKXvt2IVrdtSqMNm
-
StormKitty payload
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-