General
-
Target
deploy.exe
-
Size
63KB
-
Sample
231023-sk54tabd38
-
MD5
6f92c594e253457f848f01bac27814d5
-
SHA1
9d29ff1372582e71bfcf37b9eba3063cc7febc08
-
SHA256
1f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a
-
SHA512
30573565a27010e037c06741577bf5fb5bf1069f518d81e9b62fc207968974a038a7f5dabbcd5a40f0fc0e2d0ecfab3aebe2e88ef5bbbf105c55d0edcaf7662c
-
SSDEEP
768:Rd5nVhwdjndk78TQC8A+XiuazcBRL5JTk1+T4KSBGHmDbD/ph0oX9ASuAdpqKYhg:ZnSdsNdSJYUbdh99HuAdpqKmY7
Behavioral task
behavioral1
Sample
deploy.exe
Resource
win10v2004-20231020-en
Malware Config
Extracted
asyncrat
Default
H伊8jWaCωdcΓP8吾קtרXovNF3
-
delay
1
-
install
true
-
install_file
daemon.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/L7WhRmt9
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
146.19.230.52:4456
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Targets
-
-
Target
deploy.exe
-
Size
63KB
-
MD5
6f92c594e253457f848f01bac27814d5
-
SHA1
9d29ff1372582e71bfcf37b9eba3063cc7febc08
-
SHA256
1f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a
-
SHA512
30573565a27010e037c06741577bf5fb5bf1069f518d81e9b62fc207968974a038a7f5dabbcd5a40f0fc0e2d0ecfab3aebe2e88ef5bbbf105c55d0edcaf7662c
-
SSDEEP
768:Rd5nVhwdjndk78TQC8A+XiuazcBRL5JTk1+T4KSBGHmDbD/ph0oX9ASuAdpqKYhg:ZnSdsNdSJYUbdh99HuAdpqKmY7
-
StormKitty payload
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1