General

  • Target

    panel.exe.bin

  • Size

    170KB

  • Sample

    230505-zpz7paec32

  • MD5

    470a8267b5eba7eb998d9fa69532f849

  • SHA1

    1152ddb2ab93aae9983e3e8b5c4f367875323e3e

  • SHA256

    6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

  • SHA512

    5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

  • SSDEEP

    3072:O+STW8djpN6izj8mZwHQiWZqswqIPu/i9b+J2cOZTMi56+WpL:z8XN6W8mmdUwXPSi9b2c3

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6093966625:AAHk4dddHb8B1faCcFqL3um1gmB-f2mWhyc/sendMessage?chat_id=5529838804

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      panel.exe.bin

    • Size

      170KB

    • MD5

      470a8267b5eba7eb998d9fa69532f849

    • SHA1

      1152ddb2ab93aae9983e3e8b5c4f367875323e3e

    • SHA256

      6cdb8d1af85d10ed3022ae0a183e3e9dff0ad1bc4a90915e7e41b600154a349e

    • SHA512

      5f151230dc97e0804cbe7b36ce9a4570023bdaf0283ae2681732a835c26e540ec93f9c56cd78599c8deeeaed10b2b50f9c976c85ad95d4e36460e05083f7048d

    • SSDEEP

      3072:O+STW8djpN6izj8mZwHQiWZqswqIPu/i9b+J2cOZTMi56+WpL:z8XN6W8mmdUwXPSi9b2c3

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v6

Tasks