Extracted

• • Target

    release_lava.exe.3

  • Size

    5.5MB

  • MD5

    de557c3360f872d88f7a807b8cc0aabb

  • SHA1

    8beb7bbb77e52d4076924791afacd50475d0c0d0

  • SHA256

    5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0

  • SHA512

    d2cf879e061403c03fc61a797308fef01e9ecad4052fa674878d24c63bfd7af919b2ecb0229f4ba83bc78d3793e585d85f9a6f868b18d47ccaf48138d5d9b823

  • SSDEEP

    98304:2+5NpZB2er+PqXfcGJy+P0gNiQIO0cpKmjDBhBtYlhW6mf9i3/n4d4:BpZBrHkkFJipRqKmZhYDW6+ivn

  Score

  10^/10

  asyncratstormkittydefaultevasionexecutionpersistenceratstealer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Async RAT payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Drops file in Drivers directory

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2