Overview

overview

10

Static

static

3

c6f6a21328...be.exe

windows7-x64

10

c6f6a21328...be.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cbfb91e9f660870d7b99000a18370afb635fbc17d579441de7091a9c9bcc153f

  • Size

    843KB

  • Sample

    240417-sae5msda99

  • MD5

    1fd8bc4be088de3173235e4dc4577c9c

  • SHA1

    8e75abe2574f7f20b80aea0387fe0128a761ef4b

  • SHA256

    cbfb91e9f660870d7b99000a18370afb635fbc17d579441de7091a9c9bcc153f

  • SHA512

    ebc88d64186e4fe5c0ae5f7d058c46822feeecfcf241ef9decb00a9900c008a9c6d650ed4a608a5a9f00ba55ecee1b71feeff8b40467a0cd5854572250e3ce2d

  • SSDEEP

    24576:jb4QHhwyfMPXO6xlPwjrmhLHMeI815csmsyHkQoa:jcQ2y0PXO6xlofmSevat

Score
10/10
asyncratstormkittydefaultratstealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe

    • Size

      980KB

    • MD5

      f5314596dce7444d09432a391bf7f669

    • SHA1

      b1186e0501078a510ad0a4af1bbefc2f7f9dee5c

    • SHA256

      c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be

    • SHA512

      0b45253fcaafbd9b5d4d10e8f7a313a46ea99cff8b9455e884db5f378e41578faab769beaddfb8fee81d72c46131cb7e967fe5e421053902ba190dff800e97f8

    • SSDEEP

      24576:3TbBv5rUEFP5eAsXpp3q1BGa6mXcqIAXiAZfzI6u:RBfP5vCAKLAXiAZs

    Score
    10/10
    asyncratstormkittydefaultratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks