Overview

overview

10

Static

static

7

c.exe

windows7-x64

10

c.exe

windows10-1703-x64

10

c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c.exe

  • Size

    214KB

  • Sample

    230719-ht8wysgd57

  • MD5

    7007e1d06387b6ca204c98d49c7b07da

  • SHA1

    5fb072d40016d80fed82631f20284b3672b2f965

  • SHA256

    6abc7310211473a511a9e776b103c520d4a49ff7a400c222160af4ae0288a916

  • SHA512

    ef3ca82efb87a0d395b2d0c8520a555eb7027bdb20cfa1932bb557a0323ded994f6bdf13bd020eaaa2b41a628edc4930c301884e79110ff5b3995b95bf5302ff

  • SSDEEP

    6144:KZiai3mTU41O2oV1mD6ArKAenI3YNGDaXCF:KwZWp1OnV0+YKa3ApCF

Score
10/10
asyncratstormkittydefaultevasionransomwareratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6268035721:AAGWwn3ukkEumLQ0BZ43K9ZyUfUcyiD2wF0/sendMessage?chat_id=6119127555
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Path

C:\Users\Admin\Contacts\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note
Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $980 worth of bitcoin to wallet: bc1qzpa3j6qse5xfxft2xy7h2phq04wq9pk66lllz5 after payment,we will send you Decryptor software contact email: [email protected] Your personal ID: fJzL0mTfhYCD9VJ6CRSyYnTQW5tk59UE7xBwY46ae073KnsTzWAnC8F50QTmIRuywBhFaxDcI3h/JahaBttYUDABmTT4CV1hFYQX5Wj4txXZ5xJPNgfDkcim+PIkvbHQAEQh1pjWoBMXb8E5Rcslxl59qN3EkcGaI6q3+DI1p3Q=

Extracted

Path

C:\Users\Admin\Contacts\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note
Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $980 worth of bitcoin to wallet: bc1qzpa3j6qse5xfxft2xy7h2phq04wq9pk66lllz5 after payment,we will send you Decryptor software contact email: [email protected] Your personal ID: TXYqIh238CiVfALkrWqdvehndYnSdxKkyMF1pTO6L4DpAqL4yiwabzt+pG0/oyJgBjtg6IZZYfdHgA5uJgED3m+JJ+/M2sPZEC0AT1YMadcjBSfMrbqmm6EA7/fRcAjXe1xUp6Csk2MxCsQ6wh8DkeSPDSy9tE7c0eEnpfb1tP8=

Extracted

Path

C:\Users\Admin\Contacts\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note
Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $980 worth of bitcoin to wallet: bc1qzpa3j6qse5xfxft2xy7h2phq04wq9pk66lllz5 after payment,we will send you Decryptor software contact email: [email protected] Your personal ID: BX3wHmwCJ0WsptDlwCfXxe9ejuUzZmntr8Mz5i0ZgQrmDkekGZptekyGrKXLl0ZISG+adIXrkNWkbCiz58e9aC0V/phWnNihSYyQBLEaJAYE/WZlJosKodTouYs7v1lYEyYJn63qv8u8anMnLHk1Db686avJCR9qxaJyrOLF8yg=

Targets

    • Target

      c.exe

    • Size

      214KB

    • MD5

      7007e1d06387b6ca204c98d49c7b07da

    • SHA1

      5fb072d40016d80fed82631f20284b3672b2f965

    • SHA256

      6abc7310211473a511a9e776b103c520d4a49ff7a400c222160af4ae0288a916

    • SHA512

      ef3ca82efb87a0d395b2d0c8520a555eb7027bdb20cfa1932bb557a0323ded994f6bdf13bd020eaaa2b41a628edc4930c301884e79110ff5b3995b95bf5302ff

    • SSDEEP

      6144:KZiai3mTU41O2oV1mD6ArKAenI3YNGDaXCF:KwZWp1OnV0+YKa3ApCF

    Score
    10/10
    asyncratstormkittydefaultevasionransomwareratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • UAC bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (66) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v6

Tasks