General
-
Target
Legion Private Bot.exe
-
Size
640KB
-
Sample
230201-2bx7aaef9z
-
MD5
092334866080e7ec50fccc264d869221
-
SHA1
b4b69530c71474507e8ec5a341252e11862986e0
-
SHA256
1080f3cd4328fd1e0597c4aba89bf5004894c938234f2d2ccf282f1416219864
-
SHA512
101eaf97dc6293d7295fccd7883d161c128c780f55d76ba3132685cd92d52d0a417b373d08aa7cdde82f7cf0831776ea959040c7f6fb9568abbf34d365cbc9d9
-
SSDEEP
12288:/QGF2tAu9o+JPYx+5psS5GkwqbT7pllql+WZcYrje23UFDd6S7sQo:/7F2tAu9o+JQ+5psSU12olvraDt7s
Static task
static1
Behavioral task
behavioral1
Sample
Legion Private Bot.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Legion Private Bot.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5345460701:AAELDlYM_8yHwfKYHoYl_27JYXLpT-SLsyY/sendMessage?chat_id=689992339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Legion Private Bot.exe
-
Size
640KB
-
MD5
092334866080e7ec50fccc264d869221
-
SHA1
b4b69530c71474507e8ec5a341252e11862986e0
-
SHA256
1080f3cd4328fd1e0597c4aba89bf5004894c938234f2d2ccf282f1416219864
-
SHA512
101eaf97dc6293d7295fccd7883d161c128c780f55d76ba3132685cd92d52d0a417b373d08aa7cdde82f7cf0831776ea959040c7f6fb9568abbf34d365cbc9d9
-
SSDEEP
12288:/QGF2tAu9o+JPYx+5psS5GkwqbT7pllql+WZcYrje23UFDd6S7sQo:/7F2tAu9o+JQ+5psSU12olvraDt7s
-
StormKitty payload
-
Async RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-