Overview

overview

10

Static

static

10

InvictaStealer.exe

windows10-2004-x64

7

Server.exe

windows10-2004-x64

10

Resubmissions

23-12-2023 10:41

231223-mq3b8aegep 10

23-12-2023 10:25

231223-mgdmhaegdp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    telegram+discord.zip

  • Size

    1.1MB

  • Sample

    231223-mgdmhaegdp

  • MD5

    f4ac18b81490cef062437ef91d9978a3

  • SHA1

    10db89f6436d47af15899a77d20478731de57472

  • SHA256

    d370e3137088b60aef32f18a535f73be8deeb7aa168639a1bc04f373f50ee88b

  • SHA512

    315fe1960fea33f3f5237f899f3442512318a1e477e98d4b4ac3e6d9c138f99073848e26f483b4a46786c4ca6cd6d7763646f699d8a2a95230496117a23c36c7

  • SSDEEP

    24576:py1TINQqUrVlskDobvRvQ+YsLeCDCG4kiQO593Tq:QNIHUBlzuvRDYsLf1iQOv3u

Score
10/10
asyncratinvictastealerstormkittydefaultdiscoveryratspywarestealer

Malware Config

Extracted

Family

invictastealer

C2

https://discord.com/api/webhooks/1188061798528716801/D77SxBvLMy5YYF4k7wJBWj7OUZkf938cAWbclFFSX52NRBAyZASKcq_eq9P0X66HWMDI

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6718200608:AAHsv5HWjc41bwrxVtW7RKEn2Jy54j81b6A/sendMessage?chat_id=1459867608
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      InvictaStealer.exe

    • Size

      2.2MB

    • MD5

      03d36980026cddd989b3d81bcc78497c

    • SHA1

      8ec2cb2ed9f277b5314c381e91e3fe4fc2454acd

    • SHA256

      4f1e1f530211b90dc9ce81ebdee56ee458cb7846be753d10f3b7aab84a2265f6

    • SHA512

      c520be6ef9e560ff0cd17701ef5cb0a288fe9d1ca64619ee9ef733492b14a322ac20f395589cb1da0d72a38081895a15d8e2f2dd763ffed1c7c99c871ee138c4

    • SSDEEP

      24576:OOfsfKozBKHAhRh3KzPSA7R7Bt28SVSVlzyQOQZ9IEb68vL4R+2pYJeCYMXABtd:PBozBdhEV7q8bOQnIFWY+3Je0w1

    Score
    7/10
    discoveryspywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      Server.exe

    • Size

      175KB

    • MD5

      3bb077412f581a2b36fb2ef9afcc129e

    • SHA1

      0e934d4cd7a7b523250ba0f73c727145aa32932d

    • SHA256

      1ebc11645efb8e08926c85079bc38341e38d65d690f049b2aa9b0eab9540da6f

    • SHA512

      a92ad00ad202894178fdc944e6b17520412168d03a8d35064b059fa9e43c8a9eab894ef3a9d9e4e75661f6912cdf032bf65d1752c631b65ae768c2e31239b2f8

    • SSDEEP

      3072:0e8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gTBwAqE+Wpor:dXtb5KcXr7XmfgqtjhAxZ0b2S

    Score
    10/10
    asyncratstormkittydefaultratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Async RAT payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks