General
-
Target
c5681f0e12aac8a5f3461b636bb03e0e.bin
-
Size
32.4MB
-
Sample
230206-mj79wsgg3w
-
MD5
f580d2012634f71031fb9d38f0fb7981
-
SHA1
fe5e9148d13eb5f94f50396b47f974cb060730cf
-
SHA256
333a54784af0dd768139d758872d64589af8496376465d2a660f2bbe1b318a65
-
SHA512
08570b33f207e78a7c7e463c57b4a14945dc49cce37694ee5a3b76e472c49ae760e9a61f175b6ada9b4bcc72ace85f68b4dec9c8c968c987f6caa2ff1ccdb084
-
SSDEEP
786432:/lMmh3apePyjb8rV+ivSG0s3gaUPxmumY5INTcsHmmDhR:/lMmqIaGuaUPcYWTcsGU
Static task
static1
Behavioral task
behavioral1
Sample
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
135.148.113.4:6789
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Service Host.exe
-
install_folder
%AppData%
Targets
-
-
Target
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715.exe
-
Size
32.4MB
-
MD5
c5681f0e12aac8a5f3461b636bb03e0e
-
SHA1
7dccbceaaa2f18357746e7105c2d9a5caa75e8fa
-
SHA256
b96df0c566daa119af3abd0af7c0221689f411678da926608b493e8edd707715
-
SHA512
c72bf2510dfc7ff8ebbe769c1851c7bd068c901460820d7bbf5bbe06217f8ba0dd0e1cfab83a009f06fedc28ba7b765cc5393fa3861c39316e8a22b52941b33e
-
SSDEEP
786432:uNNuklYm9MgdaR5qAV72zEWxOUfM30wvvoO2Hum6y/E87eqzDI:u3uklYmMVfqOq46E0+277C6DI
-
StormKitty payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-