Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    RFQ195246.pdf.exe

  • Size

    1.0MB

  • Sample

    240105-pkfmdachc2

  • MD5

    9f29fbfc465f8023c04f7ef4f3f5f9c6

  • SHA1

    18a1fd3b6234380634f89e718fbd8742fbc909ac

  • SHA256

    526539d41092e31a6eb4097cc93b55285d758b41e992d11c1819767306f08f30

  • SHA512

    ad3f1b0cc54432fb50640efbdd3b29bca033e53adc6ebe221d07d26938af04a96e81fb5753c098ca4cbfd8ae01aa3893384bf6a48b9da30d6e8d2a3bae8ce8c9

  • SSDEEP

    24576:2TbBv5rUDKoU7L/wtggAPwUqjBGa6mXcqIAXiAZfzI6Y:IBUUP/IggAIUqcLAXiAZC

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      RFQ195246.pdf.exe

    • Size

      1.0MB

    • MD5

      9f29fbfc465f8023c04f7ef4f3f5f9c6

    • SHA1

      18a1fd3b6234380634f89e718fbd8742fbc909ac

    • SHA256

      526539d41092e31a6eb4097cc93b55285d758b41e992d11c1819767306f08f30

    • SHA512

      ad3f1b0cc54432fb50640efbdd3b29bca033e53adc6ebe221d07d26938af04a96e81fb5753c098ca4cbfd8ae01aa3893384bf6a48b9da30d6e8d2a3bae8ce8c9

    • SSDEEP

      24576:2TbBv5rUDKoU7L/wtggAPwUqjBGa6mXcqIAXiAZfzI6Y:IBUUP/IggAIUqcLAXiAZC

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks