General
-
Target
Flash USDT Sender V5.0.zip
-
Size
5.1MB
-
Sample
240508-pk183scc7t
-
MD5
5f6392b1990192cf34a6727f62335615
-
SHA1
229f74b1715d7ccd90deb760cb405b18af2a99d4
-
SHA256
e5ada968624062651aa3a61474149ca7d5cd9fc3d8afc4421a73b139e0fefe2a
-
SHA512
b84a33894d048d7d7a65bb6d49bc10a531a72e9f14a6bef51a099a6b127de8f833022c091556b56bd2e3921ac85f97c21d6ab82c7435b4058b82e64c890abbcc
-
SSDEEP
98304:8Uf8e/NouySfdLOd5YGQjCgABXXw5JcZf5lVKgSu7WoPZEpGU8/:vf/NogLYCjjCIJcFZKgj7WoREY/
Static task
static1
Behavioral task
behavioral1
Sample
AgentModule.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
AgentModule.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
CommonModule.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
CommonModule.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
Flash USDT Sender.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Flash USDT Sender.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
cygwin1.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
cygwin1.dll
Resource
win10v2004-20240419-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
AgentModule.dll
-
Size
2.0MB
-
MD5
73cfc7a409101d5635e8042bcdf5c6c7
-
SHA1
cf5cc36776c8ec4582bd356b6833aa0905430a92
-
SHA256
d46f87b767dc82bf9a180bb2a981058909ff65cf0de6edfbc917cbac0f719f67
-
SHA512
4e823b31f81aa3f6ad22b26ec55389764867b6e66daa73d17c4d5f501d6a817be520edd49e7dc7c1cee43caf7eb533c456ebfef021c528edaeb9a099325fe12c
-
SSDEEP
49152:kylT3MFWj4LouEfF7Mgi4kpCzrLmq064lTRQCyqjc:thcFetTfF7Mt9CzrLmq0DltQLqI
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
CommonModule.dll
-
Size
1.5MB
-
MD5
eda386546817f68607fc7f3361c89eac
-
SHA1
221b78ac990d558f0565d6cc8b7d16786d4afa10
-
SHA256
44d33f4dacfc4bac2d56a49194ca4d40bc3e3f72478cd20ed696b1d3f110cc96
-
SHA512
b51f0fe242ef0fc300163b6e56364a43f8dd26207c22be4110fa42aa291ba324193b795c548646c98644a8670449a54c37009112c10832f54a4a932713100680
-
SSDEEP
24576:xdigP0DDbamB99f7yxucOzg8mhkF/tlDkF5enYkHEPPn2a2IJeARStTzzn4CwcNx:xdizv9f7yxucOzbmOdtlDrkn2fMeak2g
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Flash USDT Sender.exe
-
Size
1.1MB
-
MD5
043817555a2db7d27be0fe642fbe9b61
-
SHA1
c78e17475a13662b3d8a7ad5fe01ae5f5d10053e
-
SHA256
7b6e713b75995a1215b0b1e60cdc58fe6c260619daea160b12c00757343cd730
-
SHA512
4b008c2d154a8cf1ecec49b3ccfc1fd1fd7d28592adf1b9b387d488a3160363f8431b2a7e65265fcfc8be01f7ed10910a1d3ff3d9244f4fbe60fe0b6c8c4b174
-
SSDEEP
24576:6FtwQPyHWYWeBnE4mABmeoiy7XlHEVVL:wtwQPeWYWEEnVX1EVVL
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
cygwin1.dll
-
Size
3.2MB
-
MD5
26dc9423dabf300185c57fc9aee36a38
-
SHA1
ced29695fb9033e48223ef188a96d8b7d213cbb3
-
SHA256
aa4e55537722731c64a3ec520d63b02291d8640178c5129df2c1c5c4e8f9c90e
-
SHA512
76dd2f9fcf06c45403d368e8e07b9c75db0b94f4c862a7d43be6e18717551b027bf01def586b47f0f04e7dfedb622875bb3e5044abd9ac60d17ac08422f5c363
-
SSDEEP
98304:tZk9IDGbx19Mx0Mr7YaZFt3WG00Khy7wYMe1u4CU5NbWN5obRfhAS:Xk9IueFpVv
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Virtualization/Sandbox Evasion
4Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1