Overview

overview

10

Static

static

10

20209b1782...1b.exe

windows7-x64

10

20209b1782...1b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b

  • Size

    162KB

  • Sample

    240418-ycpdzseb81

  • MD5

    48f3578add712ad477de43a61079f6e2

  • SHA1

    4b6a625d66abee564bc3fc0a4927ebceab88a0e7

  • SHA256

    20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b

  • SHA512

    e9d7e06a61e187538313c0935b05ce453afd77f9c04046112818c2044ae6a66c6bb5b2c3aaf88eadeedda2648b2162dce5171eea9e7e2b4fb0dc1b0fe1f5b149

  • SSDEEP

    3072:qeIM6syPKcys1v6LCNrhwBafeQt0siX7mIBbVaibI+wARE+WpC5:V6syicyst6LCwAfeJlr1xvb1

Score
10/10
asyncratstormkittyratspywarestealer

Malware Config

Targets

    • Target

      20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b

    • Size

      162KB

    • MD5

      48f3578add712ad477de43a61079f6e2

    • SHA1

      4b6a625d66abee564bc3fc0a4927ebceab88a0e7

    • SHA256

      20209b1782561498aae9640d8032d3663636c0f10a094dd1b69f413097d7c41b

    • SHA512

      e9d7e06a61e187538313c0935b05ce453afd77f9c04046112818c2044ae6a66c6bb5b2c3aaf88eadeedda2648b2162dce5171eea9e7e2b4fb0dc1b0fe1f5b149

    • SSDEEP

      3072:qeIM6syPKcys1v6LCNrhwBafeQt0siX7mIBbVaibI+wARE+WpC5:V6syicyst6LCwAfeJlr1xvb1

    Score
    10/10
    stormkittyspywarestealerasyncratrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables (downlaoders) containing URLs to raw contents of a paste

    • Detects executables containing URLs to raw contents of a Github gist

    • Detects executables referencing Discord tokens regular expressions

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing credit card regular expressions

    • Detects executables referencing many VPN software clients. Observed in infosteslers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables using Telegram Chat Bot

    • Detects executables with interest in wireless interface using netsh

    • Detects file containing reversed ASEP Autorun registry keys

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks