Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
release_lava.exe.2
-
Size
5.5MB
-
Sample
240516-23h7fadd28
-
MD5
de557c3360f872d88f7a807b8cc0aabb
-
SHA1
8beb7bbb77e52d4076924791afacd50475d0c0d0
-
SHA256
5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0
-
SHA512
d2cf879e061403c03fc61a797308fef01e9ecad4052fa674878d24c63bfd7af919b2ecb0229f4ba83bc78d3793e585d85f9a6f868b18d47ccaf48138d5d9b823
-
SSDEEP
98304:2+5NpZB2er+PqXfcGJy+P0gNiQIO0cpKmjDBhBtYlhW6mf9i3/n4d4:BpZBrHkkFJipRqKmZhYDW6+ivn
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6471941882:AAHasaNCecS7ngmuNpsLq1sIjTyBjQRkZ8U/sendMessage?chat_id=5383408154
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
release_lava.exe.2
-
Size
5.5MB
-
MD5
de557c3360f872d88f7a807b8cc0aabb
-
SHA1
8beb7bbb77e52d4076924791afacd50475d0c0d0
-
SHA256
5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0
-
SHA512
d2cf879e061403c03fc61a797308fef01e9ecad4052fa674878d24c63bfd7af919b2ecb0229f4ba83bc78d3793e585d85f9a6f868b18d47ccaf48138d5d9b823
-
SSDEEP
98304:2+5NpZB2er+PqXfcGJy+P0gNiQIO0cpKmjDBhBtYlhW6mf9i3/n4d4:BpZBrHkkFJipRqKmZhYDW6+ivn
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Modifies security service
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3