General

  • Target

    Servjjjer.exe.bin

  • Size

    175KB

  • Sample

    230501-yxzqfsac3v

  • MD5

    5b3cfe226cbf4629f1bf59d9a8b644cb

  • SHA1

    709f112da624e832c9e257ffe68f7ad2cc08bb6f

  • SHA256

    6894c104c50fea8b20c9d459919854463fa2aad13165bb0650deb946fb3b7de7

  • SHA512

    485962e678cc88aecbf1f9028d55885f6290bf6ff33555b231938a1ae323ec06311963988fbae15466dc39249e3fadfe7e108e0d24ef54bc3fd858572d1384e9

  • SSDEEP

    3072:Qe8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gTLcwAqE+Wpor:pXtb5KcXr7XmfgqtjhAxZ0b2ko

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5890094946:AAEYglD59tTB66C18AiuzpbBGVoAYux1-gc/sendMessage?chat_id=5969887379

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Servjjjer.exe.bin

    • Size

      175KB

    • MD5

      5b3cfe226cbf4629f1bf59d9a8b644cb

    • SHA1

      709f112da624e832c9e257ffe68f7ad2cc08bb6f

    • SHA256

      6894c104c50fea8b20c9d459919854463fa2aad13165bb0650deb946fb3b7de7

    • SHA512

      485962e678cc88aecbf1f9028d55885f6290bf6ff33555b231938a1ae323ec06311963988fbae15466dc39249e3fadfe7e108e0d24ef54bc3fd858572d1384e9

    • SSDEEP

      3072:Qe8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gTLcwAqE+Wpor:pXtb5KcXr7XmfgqtjhAxZ0b2ko

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v6

Tasks