Overview

overview

10

Static

static

3

0942114dc0...65.exe

windows7-x64

10

0942114dc0...65.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e82db9bfa7569c986611bf179918367f45b1bded86aba57c0d7f13be22d4b3f1

  • Size

    519KB

  • Sample

    240417-rh311acg5t

  • MD5

    162751834ef69aa5579fa06f1683923a

  • SHA1

    4349c9cbda3b83d7a4ca55437993beeb9fbcb3f0

  • SHA256

    e82db9bfa7569c986611bf179918367f45b1bded86aba57c0d7f13be22d4b3f1

  • SHA512

    128420fe8e380c9bf3091500fe42357a69dd9d905ac32376d17d7d2e73ff18ec03c3590ed18752c0faa741f7b71c8b72e6717c28cb02542adf9bd6c8f56d34bf

  • SSDEEP

    12288:IeWaAuFxF5debY1Hsyr6rdHFHWZoswwSed1pBzAjPT4yp5nCk2:xP3F5des1HspHFmosZSiw/p592

Score
10/10
asyncratstormkittydefaultratstealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6385771902:AAFzEpqHXketXwfW52woBHFnqZy6kfI91A0/sendMessage?chat_id=6517488336
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      0942114dc0e73052e114c375a09aa0c5dff4e0a5a2af8da7b5672bc95d082065.exe

    • Size

      599KB

    • MD5

      9a6d7cf04078015c9a7f8c69deb4d9e8

    • SHA1

      82f96bf497e9ce6b0dc2f9284ba014d238b74f7a

    • SHA256

      0942114dc0e73052e114c375a09aa0c5dff4e0a5a2af8da7b5672bc95d082065

    • SHA512

      c6d22d451cd302f7235da71e4c4c351bade1e9c793bc31237d6c0d36db8ab24bda1a7bf34deeac436e5eb8aaa2db16f0a4cab2b093b3e6b8a11925a7e6d5c365

    • SSDEEP

      12288:7lnOmmnq8yKfju2xZ7rH/NUV1iUp8eBoJ67AKJNsFtbj:vPKrnZPNo1iUpj2Y7AKJNsb3

    Score
    10/10
    asyncratstormkittydefaultratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks