General

  • Target

    FlashBTC core 2024 Full Edition.zip

  • Size

    156.7MB

  • Sample

    240508-plwpzscd3x

  • MD5

    7e2b9dde782609cb3a2e61996361055e

  • SHA1

    c72f0bfea9c74994315f1b463cc72902ebd1f7b2

  • SHA256

    2a4aee03d0e31745e786611470be3ad45d8c9f35b141f6e364542ab3ca6f5519

  • SHA512

    1bf5ba1b055ff3673af317d260907f321f2a4aeb1895e26f75e0f448d3cc8449117058a0be698014596266ee8a065011a7add1b605e4720f0d389ee819668e4d

  • SSDEEP

    3145728:cicOYPMtw3FvKo4ppUJjVYYE7rsVfwBxwYOy4U8Jxkoy6bTNHacCp:vWBAAjiprckwYEU8JxkorZu

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Flash BTC Transaction (Core Network) Full Version 10.0.1.exe

    • Size

      159.9MB

    • MD5

      beb106c368913861b9b76e9796c65ee6

    • SHA1

      8bb13725346d7db58c20041ac65a906cc6776aae

    • SHA256

      cb6315dfadc414c69c1d842b3582331e501d906b51ad34c98a32cad72891a131

    • SHA512

      3331eedf48358e184687b106b182985f8a6cb497ad13fc3e27eedbe8af67ad53e4e274b9c3f1fac71de928d8e781b7c42f1550a1d804d5e4f60265165d2b5e38

    • SSDEEP

      3145728:XiZh5tHqb9bla6HFxYYrACQFaVzClcnMq/CmUuKq+g1bylxvk:yFkywcYrACkaWcMq/a1jPv

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

    • Target

      MessagingToolkit.QRCode.dll

    • Size

      5.9MB

    • MD5

      f57e5c02d4f386b6d56ffcbdd76f2fc2

    • SHA1

      c4c83881990dd551b2d922c3eb7e998b45d903c7

    • SHA256

      ee190ce76608f3c86aeca9d9e081da95b5cb3a7ad8eff69d3dcc01a9fcdac71c

    • SHA512

      cf8de67013107711f0349b2d609933169385db5c997f4def9933b355e01736f30fb243c8e3b9491eaf572097abdbed05e557246c6d7689bb8f88972fdfc997a2

    • SSDEEP

      49152:V1/6FVnwwjbjtfv2vvrhVURfSmgrmRw1+pQLSeATkHHHs58PZX3o:VKLNu+u2W3

    Score
    1/10
    • Target

      Microsoft.VisualBasic.PowerPacks.Vs.dll

    • Size

      253KB

    • MD5

      cf9a3a6e2f8e1070a10833baa8c63069

    • SHA1

      968b9138206335cc810207a0c20a0dcef2882efe

    • SHA256

      c62e53bf7e941a262b5b18211683bd045b70959f59ddccb4e454db18ee380833

    • SHA512

      8fb8c90e401616a2cfc9b64bc799a3293f9941abcc9dbc16a7ac533dba136138c5b884a58a5682a79472372a522766b808d1163e6cb3bd7a6aafdbf431d542b6

    • SSDEEP

      6144:rEfg1Oir3KXDM7sri+7RXXCUal8mJm73C51d1Dwlh:Ifg1wTmsri+7hxu/Lah

    Score
    1/10
    • Target

      QRCoder.dll

    • Size

      107KB

    • MD5

      f77b77d943c441878eb296506b92512e

    • SHA1

      1397d7dc6ef32d92f99e4f126024912526d96e46

    • SHA256

      c36bfd8480c17451028b0b79457d29513050f3cc0ca2480cf884eb77d34ef097

    • SHA512

      ddee8a85e714ba4613a625282851f731850cc552dabe4b8efe2043239eeccbf5f5bb59c8e82804af58924165fd4b7b55209d6506fe6bbeba9a61ba1c1e3dbd08

    • SSDEEP

      1536:odQ5+yHeUkugu+UU0cjamKCj5G/1aMjwt5j8QT0j7Cs2+S+xfRotWx1+ONUs2kR5:+K6uH/1ROtFa7NS+EO+ONUs2kR+o3j

    Score
    1/10
    • Target

      Recover Shell Script.js

    • Size

      362KB

    • MD5

      638dc56ce17883e759ece272bd7da5a1

    • SHA1

      e4fc7cd12210e955e5effb83e1363f9d44f9d22f

    • SHA256

      a3284c25e3cc60079f77edc15a372c5bf1c623769c8825d560f7e9a5e6847e5c

    • SHA512

      e9cd82f1bff4647e322a7ed3b22e32d2521e4b577dc9b5414cab02201b7ba881ee21a81efb50e7718540b4eeb6082fe33b69d0a4e41278050bdbe7d50b9b68d5

    • SSDEEP

      6144:5/IPvhkrlkvxZe9TX1X/Jqgpi3rgtQ2k/L7b6R+k:5QPvhkhkvxZeB1X/Jqgpi3rb/OD

    Score
    3/10
    • Target

      fr/Microsoft.VisualBasic.PowerPacks.Vs.resources.dll

    • Size

      45KB

    • MD5

      9debf6105d523aba2c7101f4bd1efac0

    • SHA1

      ea45b2a3593855a4218b047d091af866b31763ae

    • SHA256

      af6b7ba639284fca547828e1f201aff0bbf41b9d8760bcb47571ee0c4bdfec3b

    • SHA512

      6d1a25ffffc4d657f45a2691dc9ef6aeac5320df61ddfece36538b1e3bf6aa329a3d300b822890d0edbcd287c64e32b67cd1134867a6cec988cc31cecd95141b

    • SSDEEP

      768:Px4Jj7ajxVM6epA+wR3fUI8FzNMi2jXHUH1b:Px4B7G+5A7R3fUbz29rHUHR

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks