Overview

overview

10

Static

static

10

DiscordDEV.exe

windows7-x64

10

DiscordDEV.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DiscordDEV.exe

  • Size

    64KB

  • Sample

    240404-z7adzsaf6v

  • MD5

    90973346b6819d640dc9301288e156b1

  • SHA1

    49f02abe11fe5cafe492c0b6ed30b04714b538a0

  • SHA256

    a3bb72f860b25f8e709a88172d0bc50c41831080c3ae603d522a16867a1beb63

  • SHA512

    d7b23fe2b40269d06811f243b3d25d1f0c6a03d321b2bac84968ed6bdd7bda4de24c452c50d4a8cd44017faae436159693d015d278103ac26184fb7e001dbd48

  • SSDEEP

    1536:ZQj1EfBnKfoELH1xb720FUbYh9Gd1FuNEpqKmY7:ZK2uzFUbY4MPz

Score
10/10
asyncratstealeriumstormkittydefaultcollectionransomwareratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:8989

127.0.0.1:11692

0.tcp.eu.ngrok.io:8989

0.tcp.eu.ngrok.io:11692
Mutex

TsOΔXשrQΑ迪ΘΖתd9VTvM迪

Attributes
  • delay

    3

  • install

    true

  • install_file

    ProgramDataInstaller.exe

  • install_folder

    %Temp%

aes.plain

Targets

    • Target

      DiscordDEV.exe

    • Size

      64KB

    • MD5

      90973346b6819d640dc9301288e156b1

    • SHA1

      49f02abe11fe5cafe492c0b6ed30b04714b538a0

    • SHA256

      a3bb72f860b25f8e709a88172d0bc50c41831080c3ae603d522a16867a1beb63

    • SHA512

      d7b23fe2b40269d06811f243b3d25d1f0c6a03d321b2bac84968ed6bdd7bda4de24c452c50d4a8cd44017faae436159693d015d278103ac26184fb7e001dbd48

    • SSDEEP

      1536:ZQj1EfBnKfoELH1xb720FUbYh9Gd1FuNEpqKmY7:ZK2uzFUbY4MPz

    Score
    10/10
    asyncratdefaultratstealeriumstormkittycollectionransomwarespywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Async RAT payload

      rat

    • Renames multiple (3106) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks