General
-
Target
Infected.exe
-
Size
63KB
-
Sample
240512-tvlzcsha76
-
MD5
40889fda42cee2f63aa6972ef432ad0e
-
SHA1
19ccc20806ed5bbd6019e8c672407b11ab65ce88
-
SHA256
f334121ac8ff4f73bd7ea92f125a601e0799943b7067568c9ca661b0882175bd
-
SHA512
b21a7eb6a8294179137898470fe461cdea98a9076703d28c0e482d041e7d3e73bdda632849a8c6e1b8bb65bbd01aaf0afc2ecea5af744726c10af16033c382e2
-
SSDEEP
768:Cm0vnfEXf78awC8A+XU2azcBRL5JTk1+T4KSBGHmDbD/ph0oXrwbUUSusdpqKYhg:qEXiLdSJYUbdh9+UTusdpqKmY7
Behavioral task
behavioral1
Sample
Infected.exe
Resource
win10-20240404-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:3232
127.0.0.1:14548
5.tcp.eu.ngrok.io:3232
5.tcp.eu.ngrok.io:14548
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Infected.exe
-
Size
63KB
-
MD5
40889fda42cee2f63aa6972ef432ad0e
-
SHA1
19ccc20806ed5bbd6019e8c672407b11ab65ce88
-
SHA256
f334121ac8ff4f73bd7ea92f125a601e0799943b7067568c9ca661b0882175bd
-
SHA512
b21a7eb6a8294179137898470fe461cdea98a9076703d28c0e482d041e7d3e73bdda632849a8c6e1b8bb65bbd01aaf0afc2ecea5af744726c10af16033c382e2
-
SSDEEP
768:Cm0vnfEXf78awC8A+XU2azcBRL5JTk1+T4KSBGHmDbD/ph0oXrwbUUSusdpqKYhg:qEXiLdSJYUbdh9+UTusdpqKmY7
-
StormKitty payload
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Renames multiple (1272) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-