General

  • Target

    c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be

  • Size

    980KB

  • Sample

    240313-1xt63sad3s

  • MD5

    f5314596dce7444d09432a391bf7f669

  • SHA1

    b1186e0501078a510ad0a4af1bbefc2f7f9dee5c

  • SHA256

    c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be

  • SHA512

    0b45253fcaafbd9b5d4d10e8f7a313a46ea99cff8b9455e884db5f378e41578faab769beaddfb8fee81d72c46131cb7e967fe5e421053902ba190dff800e97f8

  • SSDEEP

    24576:3TbBv5rUEFP5eAsXpp3q1BGa6mXcqIAXiAZfzI6u:RBfP5vCAKLAXiAZs

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be

    • Size

      980KB

    • MD5

      f5314596dce7444d09432a391bf7f669

    • SHA1

      b1186e0501078a510ad0a4af1bbefc2f7f9dee5c

    • SHA256

      c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be

    • SHA512

      0b45253fcaafbd9b5d4d10e8f7a313a46ea99cff8b9455e884db5f378e41578faab769beaddfb8fee81d72c46131cb7e967fe5e421053902ba190dff800e97f8

    • SSDEEP

      24576:3TbBv5rUEFP5eAsXpp3q1BGa6mXcqIAXiAZfzI6u:RBfP5vCAKLAXiAZs

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks