General

  • Target

    f11076af54ec9acb4f0218b3555dade52c413ec82b70eab8cbdbcf239f714168

  • Size

    175KB

  • Sample

    230804-ggwv7aag9w

  • MD5

    42a1e3b409eedc1e91ddb15a6d974631

  • SHA1

    686e9471254f8e83a371b3baf14b2e1af8067be8

  • SHA256

    f11076af54ec9acb4f0218b3555dade52c413ec82b70eab8cbdbcf239f714168

  • SHA512

    e7d2566067fe246e8457dfff3cdf858d2e8af77eb24485f1db8a48f262b0ebc64d3fb23a41d99f1fe2ccd0402254ad6e3356e07f6a9c2c1f73b32a5eed064286

  • SSDEEP

    3072:pe8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTQwA5E+WpCc:l6ewwIwQJ6vKX0c5MlYZ0b2p

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6344684660:AAGXrpqdaK0q1IRHucqGtufZQ89XqYNopIY/sendMessage?chat_id=1412038683

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      f11076af54ec9acb4f0218b3555dade52c413ec82b70eab8cbdbcf239f714168

    • Size

      175KB

    • MD5

      42a1e3b409eedc1e91ddb15a6d974631

    • SHA1

      686e9471254f8e83a371b3baf14b2e1af8067be8

    • SHA256

      f11076af54ec9acb4f0218b3555dade52c413ec82b70eab8cbdbcf239f714168

    • SHA512

      e7d2566067fe246e8457dfff3cdf858d2e8af77eb24485f1db8a48f262b0ebc64d3fb23a41d99f1fe2ccd0402254ad6e3356e07f6a9c2c1f73b32a5eed064286

    • SSDEEP

      3072:pe8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTQwA5E+WpCc:l6ewwIwQJ6vKX0c5MlYZ0b2p

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v15

Tasks