General
-
Target
cbfb91e9f660870d7b99000a18370afb635fbc17d579441de7091a9c9bcc153f
-
Size
843KB
-
Sample
240417-sae5msda99
-
MD5
1fd8bc4be088de3173235e4dc4577c9c
-
SHA1
8e75abe2574f7f20b80aea0387fe0128a761ef4b
-
SHA256
cbfb91e9f660870d7b99000a18370afb635fbc17d579441de7091a9c9bcc153f
-
SHA512
ebc88d64186e4fe5c0ae5f7d058c46822feeecfcf241ef9decb00a9900c008a9c6d650ed4a608a5a9f00ba55ecee1b71feeff8b40467a0cd5854572250e3ce2d
-
SSDEEP
24576:jb4QHhwyfMPXO6xlPwjrmhLHMeI815csmsyHkQoa:jcQ2y0PXO6xlofmSevat
Static task
static1
Behavioral task
behavioral1
Sample
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe
-
Size
980KB
-
MD5
f5314596dce7444d09432a391bf7f669
-
SHA1
b1186e0501078a510ad0a4af1bbefc2f7f9dee5c
-
SHA256
c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be
-
SHA512
0b45253fcaafbd9b5d4d10e8f7a313a46ea99cff8b9455e884db5f378e41578faab769beaddfb8fee81d72c46131cb7e967fe5e421053902ba190dff800e97f8
-
SSDEEP
24576:3TbBv5rUEFP5eAsXpp3q1BGa6mXcqIAXiAZfzI6u:RBfP5vCAKLAXiAZs
Score10/10-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-