General
-
Target
ws.exe
-
Size
3.0MB
-
Sample
230116-vejpqsaa96
-
MD5
c9a81dcabe30d055caca7db9affe0248
-
SHA1
0e13ed377b15349ddef95c6eed281b46a50bbb5f
-
SHA256
430d855fc783133d2d5bc01c095baff7d8b416a0f7c15a8a59288a96fcee7aa1
-
SHA512
4bb62f936e94c207715aa9bf854dda8c5d0aa4a50d97ac09df98721344e0d0ed85f4c77f03e067bceb052fa908335ad1d34648a2afe5b3fac81873e55b49566a
-
SSDEEP
49152:ug2G6sHJRXRTV7PH/4lrezRSmI4/6SWOyg5eO09rAq3h7twjklRUsd8OLWB7C7Rq:WG6sZVjVRSmI4eg5ebrV35ijsdLWBERq
Behavioral task
behavioral1
Sample
ws.exe
Resource
win7-20221111-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5980420064:AAHGrlOU2WsgF90Pcyz-L7wrGgC_Cj54k4Q/sendMessage?chat_id=806259874
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
ws.exe
-
Size
3.0MB
-
MD5
c9a81dcabe30d055caca7db9affe0248
-
SHA1
0e13ed377b15349ddef95c6eed281b46a50bbb5f
-
SHA256
430d855fc783133d2d5bc01c095baff7d8b416a0f7c15a8a59288a96fcee7aa1
-
SHA512
4bb62f936e94c207715aa9bf854dda8c5d0aa4a50d97ac09df98721344e0d0ed85f4c77f03e067bceb052fa908335ad1d34648a2afe5b3fac81873e55b49566a
-
SSDEEP
49152:ug2G6sHJRXRTV7PH/4lrezRSmI4/6SWOyg5eO09rAq3h7twjklRUsd8OLWB7C7Rq:WG6sZVjVRSmI4eg5ebrV35ijsdLWBERq
-
StormKitty payload
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-