Resubmissions

08-04-2024 10:32

240408-mkyf3sac8s 10

02-04-2024 18:48

240402-xf825aac29 10

02-04-2024 18:47

240402-xfpngsac4s 10

General

  • Target

    avast_driver__online_setup.zip

  • Size

    109KB

  • Sample

    240402-xf825aac29

  • MD5

    9e6635e0ef6a723bd9e84d5fe6eceadd

  • SHA1

    f90f74890e6c0b5a6d256aae2bfe3857b70fe25b

  • SHA256

    f0fac8d0bb31f5fe76a44824608d8f36d8100d913662c68a8cc23b5ab756479c

  • SHA512

    5227263d30f0816bef5d345b60b7565522462b0308a4ae9f638ef9afda8d616c69eda803fc080f67c5f33517fe66d514fd906d07a967563e777e782a7f9562d7

  • SSDEEP

    1536:QNcVfRMMKvZGf1LVFPcxh7eCNt2IYNhvt4MASR/UlCLGDFbMBpeA5CPJCRsN7WSG:TVJMMpf1LXyb1chvVUlCZE9JhsEY

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5601974118:AAFQl5HdRhbpZqqPLsKRP0nm_iqbQL_jNto/sendMessage?chat_id=5561212498

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      avast_driver__online_setup.exe

    • Size

      226KB

    • MD5

      f1c8e4207855739d5618d59d5ac23475

    • SHA1

      a26bfd1579495a2b43d98cb791050c2bcbd25e1e

    • SHA256

      b8adc7a9b9b3ff656b2c7a62aac0b9e31d9f7951e9adf6faafa6ac75fa56bb56

    • SHA512

      a00b4c87c96d26d330dcd85efa70b655b768b10c7f3b8e0beb1641b92d212f21644e14bf48c57d3248545022242150e08cdb4d352ba769d91a9ac25c520ae895

    • SSDEEP

      3072:d+STW8djpN6izj8mZwdFFMhRNmm9FpAgOUbBJUxzYD27xtgzOJSTEj6XTWFIwR6f:i8XN6W8mmdFFMMApYUbR2DU2Ca4TWN

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v15

Tasks