General

  • Target

    Flash USDT Sender V5.0.zip

  • Size

    5.1MB

  • Sample

    240508-pk183scc7t

  • MD5

    5f6392b1990192cf34a6727f62335615

  • SHA1

    229f74b1715d7ccd90deb760cb405b18af2a99d4

  • SHA256

    e5ada968624062651aa3a61474149ca7d5cd9fc3d8afc4421a73b139e0fefe2a

  • SHA512

    b84a33894d048d7d7a65bb6d49bc10a531a72e9f14a6bef51a099a6b127de8f833022c091556b56bd2e3921ac85f97c21d6ab82c7435b4058b82e64c890abbcc

  • SSDEEP

    98304:8Uf8e/NouySfdLOd5YGQjCgABXXw5JcZf5lVKgSu7WoPZEpGU8/:vf/NogLYCjjCIJcFZKgj7WoREY/

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      AgentModule.dll

    • Size

      2.0MB

    • MD5

      73cfc7a409101d5635e8042bcdf5c6c7

    • SHA1

      cf5cc36776c8ec4582bd356b6833aa0905430a92

    • SHA256

      d46f87b767dc82bf9a180bb2a981058909ff65cf0de6edfbc917cbac0f719f67

    • SHA512

      4e823b31f81aa3f6ad22b26ec55389764867b6e66daa73d17c4d5f501d6a817be520edd49e7dc7c1cee43caf7eb533c456ebfef021c528edaeb9a099325fe12c

    • SSDEEP

      49152:kylT3MFWj4LouEfF7Mgi4kpCzrLmq064lTRQCyqjc:thcFetTfF7Mt9CzrLmq0DltQLqI

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      CommonModule.dll

    • Size

      1.5MB

    • MD5

      eda386546817f68607fc7f3361c89eac

    • SHA1

      221b78ac990d558f0565d6cc8b7d16786d4afa10

    • SHA256

      44d33f4dacfc4bac2d56a49194ca4d40bc3e3f72478cd20ed696b1d3f110cc96

    • SHA512

      b51f0fe242ef0fc300163b6e56364a43f8dd26207c22be4110fa42aa291ba324193b795c548646c98644a8670449a54c37009112c10832f54a4a932713100680

    • SSDEEP

      24576:xdigP0DDbamB99f7yxucOzg8mhkF/tlDkF5enYkHEPPn2a2IJeARStTzzn4CwcNx:xdizv9f7yxucOzbmOdtlDrkn2fMeak2g

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Flash USDT Sender.exe

    • Size

      1.1MB

    • MD5

      043817555a2db7d27be0fe642fbe9b61

    • SHA1

      c78e17475a13662b3d8a7ad5fe01ae5f5d10053e

    • SHA256

      7b6e713b75995a1215b0b1e60cdc58fe6c260619daea160b12c00757343cd730

    • SHA512

      4b008c2d154a8cf1ecec49b3ccfc1fd1fd7d28592adf1b9b387d488a3160363f8431b2a7e65265fcfc8be01f7ed10910a1d3ff3d9244f4fbe60fe0b6c8c4b174

    • SSDEEP

      24576:6FtwQPyHWYWeBnE4mABmeoiy7XlHEVVL:wtwQPeWYWEEnVX1EVVL

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      cygwin1.dll

    • Size

      3.2MB

    • MD5

      26dc9423dabf300185c57fc9aee36a38

    • SHA1

      ced29695fb9033e48223ef188a96d8b7d213cbb3

    • SHA256

      aa4e55537722731c64a3ec520d63b02291d8640178c5129df2c1c5c4e8f9c90e

    • SHA512

      76dd2f9fcf06c45403d368e8e07b9c75db0b94f4c862a7d43be6e18717551b027bf01def586b47f0f04e7dfedb622875bb3e5044abd9ac60d17ac08422f5c363

    • SSDEEP

      98304:tZk9IDGbx19Mx0Mr7YaZFt3WG00Khy7wYMe1u4CU5NbWN5obRfhAS:Xk9IueFpVv

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

4
T1497

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

8
T1012

Virtualization/Sandbox Evasion

4
T1497

System Information Discovery

5
T1082

Collection

Data from Local System

1
T1005

Tasks