General
-
Target
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746
-
Size
335KB
-
Sample
230117-gvqlbsfc2z
-
MD5
c7fbe52e88456eabb4d4a1a1a0670cf4
-
SHA1
3b479f15645c31c7067c31aede6e1802093ac78b
-
SHA256
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746
-
SHA512
3302aa29196e3864850c7f6bfdc274a285f3f51fd1d60b0e728caa29b4f25bc70f30429819de1ea27855841fa0ec00f0fec69c1745794a96c5c19d11d0c8fa05
-
SSDEEP
6144:wcjrQ/rcaXeLfKqsmLjCkHhUcuS37N7E+rdR2cFoWIEh89dHHWtjunUU:wcjiuJsmXCkStSLNnRVFopEhAdH2tK
Static task
static1
Behavioral task
behavioral1
Sample
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5980420064:AAHGrlOU2WsgF90Pcyz-L7wrGgC_Cj54k4Q/sendMessage?chat_id=806259874
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746
-
Size
335KB
-
MD5
c7fbe52e88456eabb4d4a1a1a0670cf4
-
SHA1
3b479f15645c31c7067c31aede6e1802093ac78b
-
SHA256
82acc1095843da9a689f138666b41520ccb2bda8be0c8b3cd734adbfa14d6746
-
SHA512
3302aa29196e3864850c7f6bfdc274a285f3f51fd1d60b0e728caa29b4f25bc70f30429819de1ea27855841fa0ec00f0fec69c1745794a96c5c19d11d0c8fa05
-
SSDEEP
6144:wcjrQ/rcaXeLfKqsmLjCkHhUcuS37N7E+rdR2cFoWIEh89dHHWtjunUU:wcjiuJsmXCkStSLNnRVFopEhAdH2tK
-
StormKitty payload
-
Async RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-