Overview

overview

10

Static

static

3

8ec50ee4a1...13.exe

windows7-x64

10

8ec50ee4a1...13.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5273bfd8b4ea8c5ef1b3c758395e258a65031216b0f242ab5f46c8d363a8df8f

  • Size

    844KB

  • Sample

    240417-sarhnsdb33

  • MD5

    d2ed7bf8c053f06567bdbc931a0d86a5

  • SHA1

    ad74e97899fee91e9a6a7d76f3155115e384ffa3

  • SHA256

    5273bfd8b4ea8c5ef1b3c758395e258a65031216b0f242ab5f46c8d363a8df8f

  • SHA512

    4798cd101aae48082d06423981f44e397b1e0b769fbc396f525d34d204f8a328092a1c05483a51a8944d73074e8403c3f885905661d53ef69a475a6cbaedaac3

  • SSDEEP

    12288:xM7QAth+uQdZYHdrba2AFfoosADBag1cW9ME5yGMA0fEPbPEAKP+sEqr:xSH+uxrbksADAgpMEIGM1bpPd7

Score
10/10
asyncratstormkittydefaultratstealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe

    • Size

      990KB

    • MD5

      3183ce80b52497d71f3f036141413c53

    • SHA1

      079ea02e9ef218b2cbc4e4f99d1d904e739f8f59

    • SHA256

      8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213

    • SHA512

      d943eeba0795e38cf1a6951a2ff412e690dae8fd3f02718497797584e8e87936743fee129e5b6ac7bc0cf17ad7f3807147a28882e0b91552e2273aa2a5022d87

    • SSDEEP

      24576:mTbBv5rUSvFpiZA9fuBGa6mXcqIAXiAZfzI6q:YBVNpyAFLAXiAZw

    Score
    10/10
    asyncratstormkittydefaultratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks