General

  • Target

    ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4

  • Size

    956KB

  • Sample

    230816-ermddsha81

  • MD5

    31321f5a80d3694742fdb37cea42a4a8

  • SHA1

    e1d287d52c9a567ac3eb880a2c165a25d867bcb5

  • SHA256

    ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4

  • SHA512

    2fc219412eb67976ad87a251513913130d862dbff38dcfbec8b4028267a4e81922635ca67a42359c0847e48cc4ec4006aea3e6041424bb6c9fe128bd05a0aa3f

  • SSDEEP

    24576:FTELueDaKQPSDIracettRKBqHRyb9mxSTNEBt:cueemttRyUYjZ4t

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5531971933:AAG8JA2N30pvOArb-NFK-vqpR7T6tJAugJ4/sendMessage?chat_id=5566800623

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4

    • Size

      956KB

    • MD5

      31321f5a80d3694742fdb37cea42a4a8

    • SHA1

      e1d287d52c9a567ac3eb880a2c165a25d867bcb5

    • SHA256

      ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4

    • SHA512

      2fc219412eb67976ad87a251513913130d862dbff38dcfbec8b4028267a4e81922635ca67a42359c0847e48cc4ec4006aea3e6041424bb6c9fe128bd05a0aa3f

    • SSDEEP

      24576:FTELueDaKQPSDIracettRKBqHRyb9mxSTNEBt:cueemttRyUYjZ4t

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks