Overview

overview

10

Static

static

1

B96DF0C566...92.exe

windows7-x64

10

B96DF0C566...92.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe

  • Size

    32.4MB

  • Sample

    230202-t7nzgsdg5w

  • MD5

    c5681f0e12aac8a5f3461b636bb03e0e

  • SHA1

    7dccbceaaa2f18357746e7105c2d9a5caa75e8fa

  • SHA256

    b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715

  • SHA512

    c72bf2510dfc7ff8ebbe769c1851c7bd068c901460820d7bbf5bbe06217f8ba0dd0e1cfab83a009f06fedc28ba7b765cc5393fa3861c39316e8a22b52941b33e

  • SSDEEP

    786432:uNNuklYm9MgdaR5qAV72zEWxOUfM30wvvoO2Hum6y/E87eqzDI:u3uklYmMVfqOq46E0+277C6DI

Score
10/10
asyncratstormkittydefaultcollectionratspywarestealervmprotect

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

135.148.113.4:6789

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Service Host.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      B96DF0C566DAA119AF3ABD0AF7C0221689F411678DA92.exe

    • Size

      32.4MB

    • MD5

      c5681f0e12aac8a5f3461b636bb03e0e

    • SHA1

      7dccbceaaa2f18357746e7105c2d9a5caa75e8fa

    • SHA256

      b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715

    • SHA512

      c72bf2510dfc7ff8ebbe769c1851c7bd068c901460820d7bbf5bbe06217f8ba0dd0e1cfab83a009f06fedc28ba7b765cc5393fa3861c39316e8a22b52941b33e

    • SSDEEP

      786432:uNNuklYm9MgdaR5qAV72zEWxOUfM30wvvoO2Hum6y/E87eqzDI:u3uklYmMVfqOq46E0+277C6DI

    Score
    10/10
    asyncratstormkittydefaultratstealervmprotectcollectionspyware

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Async RAT payload

      rat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses Microsoft Outlook profiles

      collection

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks