asyncrat | 2eee592b19e01789f384e99ce780785722a66f6abd6a01db3a135f7840892275 | Triage

Submit
Reports

Overview

overview

Static

static

Disney [CH....2.exe

windows7-x64

Disney [CH....2.exe

windows10-2004-x64

Sharing

General

Target

Disney [CHECKER] V3.2.exe
Size

16.4MB
Sample

230223-twy1baad3t
MD5

54fc962e8963129ed9ee02f93c61ca0c
SHA1

b08648d5517b81f6cbc3f5769375d0df70242c65
SHA256

2eee592b19e01789f384e99ce780785722a66f6abd6a01db3a135f7840892275
SHA512

d84dd713d757cb0e7948706536ed84ff2fd0e354c61deca7ef0f17c87940683d40a3eee616d1f93c8d5d1c73f22642d547fbfdb5b47517e6cadfa374a4272bdc
SSDEEP

393216:ou7L/1edQ2l6+9Joaw2N+mzW8+OQwGJLaX4FcYqP:oCLdedQm9Jq2NZW8+hVc

Score

10^/10

asyncrat stormkitty default pyinstaller rat spyware stealer

Static task

static1

rat pyinstaller asyncrat stormkitty

5 signatures

Behavioral task

behavioral1

Sample

Disney [CHECKER] V3.2.exe

Resource

win7-20230220-en

asyncrat stormkitty default pyinstaller rat spyware stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Disney [CHECKER] V3.2.exe

Resource

win10v2004-20230221-en

asyncrat stormkitty default pyinstaller rat spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6196076192:AAF99zylbr46S6zR2M6Fbv7gE0eAuYfzRmg/sendMessage?chat_id=927024838

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Disney [CHECKER] V3.2.exe
- Size
  
  16.4MB
- MD5
  
  54fc962e8963129ed9ee02f93c61ca0c
- SHA1
  
  b08648d5517b81f6cbc3f5769375d0df70242c65
- SHA256
  
  2eee592b19e01789f384e99ce780785722a66f6abd6a01db3a135f7840892275
- SHA512
  
  d84dd713d757cb0e7948706536ed84ff2fd0e354c61deca7ef0f17c87940683d40a3eee616d1f93c8d5d1c73f22642d547fbfdb5b47517e6cadfa374a4272bdc
- SSDEEP
  
  393216:ou7L/1edQ2l6+9Joaw2N+mzW8+OQwGJLaX4FcYqP:oCLdedQm9Jq2NZW8+hVc
Score

10^/10

asyncrat stormkitty default pyinstaller rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

ratpyinstallerasyncratstormkitty

behavioral1

asyncratstormkittydefaultpyinstallerratspywarestealer

behavioral2

asyncratstormkittydefaultpyinstallerratspywarestealer

© 2018-2024

Terms | Privacy