General

  • Target

    3e88cfe80b9c0728b661db70fce716164b28912b164eabac9096a7909ce9f87a

  • Size

    331KB

  • Sample

    240309-1rzvdabf72

  • MD5

    8c5b2de164ca25318c6ea6c106af469e

  • SHA1

    f6bd4a891d3a2f7b794193323db6e8d326d31a6f

  • SHA256

    3e88cfe80b9c0728b661db70fce716164b28912b164eabac9096a7909ce9f87a

  • SHA512

    fc32e6c6898bea06c668a7c32322633eee9faa47aa3397f4bc4ee770a375604d3d52b15814b17585f75792486646034f5445f1bd017ff3ef71719e271dc50333

  • SSDEEP

    6144:ia5UVRyFtw03PMNyLOfH6I8MLY5WWYX+wbQyEBGZFgA39n1HbvytF/G:h5I0FtwQPNOfH6D5WWe+w0yE4YA39Qb+

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      3e88cfe80b9c0728b661db70fce716164b28912b164eabac9096a7909ce9f87a

    • Size

      331KB

    • MD5

      8c5b2de164ca25318c6ea6c106af469e

    • SHA1

      f6bd4a891d3a2f7b794193323db6e8d326d31a6f

    • SHA256

      3e88cfe80b9c0728b661db70fce716164b28912b164eabac9096a7909ce9f87a

    • SHA512

      fc32e6c6898bea06c668a7c32322633eee9faa47aa3397f4bc4ee770a375604d3d52b15814b17585f75792486646034f5445f1bd017ff3ef71719e271dc50333

    • SSDEEP

      6144:ia5UVRyFtw03PMNyLOfH6I8MLY5WWYX+wbQyEBGZFgA39n1HbvytF/G:h5I0FtwQPNOfH6D5WWe+w0yE4YA39Qb+

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables containing URLs to raw contents of a Github gist

    • Detects executables referencing Discord tokens regular expressions

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing credit card regular expressions

    • Detects executables referencing many VPN software clients. Observed in infosteslers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables using Telegram Chat Bot

    • Detects executables with interest in wireless interface using netsh

    • Detects file containing reversed ASEP Autorun registry keys

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks