General

  • Target

    stealer.bat

  • Size

    175KB

  • Sample

    240402-n4ct6ahb5w

  • MD5

    596f992b0cb14af2415960d1997ca067

  • SHA1

    826a1cde76df3d2d60d20afdd2a1d4c240ec952d

  • SHA256

    4bf2c1b7a1126a9d4d763825d83b74bda139d0966f6846588638b33416a52e40

  • SHA512

    4fbd1ab7b1fd6db9687862f2bc14060ccabc3758957b41522931d98180924d3d5eea4015e2d8c120f13e5effa48f466b01af18ffd14c3eafcbe5ac8ac217a6ee

  • SSDEEP

    3072:re8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gTvwAqE+Wpor:WXtb5KcXr7XmfgqtjhAxZ0b2k

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      stealer.bat

    • Size

      175KB

    • MD5

      596f992b0cb14af2415960d1997ca067

    • SHA1

      826a1cde76df3d2d60d20afdd2a1d4c240ec952d

    • SHA256

      4bf2c1b7a1126a9d4d763825d83b74bda139d0966f6846588638b33416a52e40

    • SHA512

      4fbd1ab7b1fd6db9687862f2bc14060ccabc3758957b41522931d98180924d3d5eea4015e2d8c120f13e5effa48f466b01af18ffd14c3eafcbe5ac8ac217a6ee

    • SSDEEP

      3072:re8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gTvwAqE+Wpor:WXtb5KcXr7XmfgqtjhAxZ0b2k

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v15

Tasks