General
-
Target
5273bfd8b4ea8c5ef1b3c758395e258a65031216b0f242ab5f46c8d363a8df8f
-
Size
844KB
-
Sample
240417-sarhnsdb33
-
MD5
d2ed7bf8c053f06567bdbc931a0d86a5
-
SHA1
ad74e97899fee91e9a6a7d76f3155115e384ffa3
-
SHA256
5273bfd8b4ea8c5ef1b3c758395e258a65031216b0f242ab5f46c8d363a8df8f
-
SHA512
4798cd101aae48082d06423981f44e397b1e0b769fbc396f525d34d204f8a328092a1c05483a51a8944d73074e8403c3f885905661d53ef69a475a6cbaedaac3
-
SSDEEP
12288:xM7QAth+uQdZYHdrba2AFfoosADBag1cW9ME5yGMA0fEPbPEAKP+sEqr:xSH+uxrbksADAgpMEIGM1bpPd7
Static task
static1
Behavioral task
behavioral1
Sample
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
-
Size
990KB
-
MD5
3183ce80b52497d71f3f036141413c53
-
SHA1
079ea02e9ef218b2cbc4e4f99d1d904e739f8f59
-
SHA256
8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213
-
SHA512
d943eeba0795e38cf1a6951a2ff412e690dae8fd3f02718497797584e8e87936743fee129e5b6ac7bc0cf17ad7f3807147a28882e0b91552e2273aa2a5022d87
-
SSDEEP
24576:mTbBv5rUSvFpiZA9fuBGa6mXcqIAXiAZfzI6q:YBVNpyAFLAXiAZw
Score10/10-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-