Overview

overview

10

Static

static

10

Craxs_Rat_V4.rar

windows10-1703-x64

10

Craxs_Rat_V4.rar

windows7-x64

3

Craxs_Rat_V4.rar

windows10-2004-x64

3

Craxs_Rat_V4.rar

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Craxs_Rat_V4.rar

  • Size

    196.0MB

  • Sample

    240525-p2tkkacf66

  • MD5

    3a9b4a471bd24ab6b31d7a1154be9e8d

  • SHA1

    641239f0ffeababb63b4367a276df3096bd6b083

  • SHA256

    32ab2efc11d1b38e7530c93bab00ee327e6657d30c4105d9eafee2b8e143b829

  • SHA512

    35a21a05c2ac5630d851b0113bb16ab516c356265465c91f1f64d6256e47923c8ecd4566b9326a760b5f8219a407d2ef305983e9e5c9bccd2b6da92b1c3d11fb

  • SSDEEP

    3145728:7IXHuQYfgMVpnN4X7qvus7lHHYa8WsSkyZT25OH5kN4NQ908t24lZT25OZbU3IoH:7i/g/nNy7qvus7lnF8v4ykkRm0yP8SkY

Score
10/10
asyncratstormkittydefaultadwareevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

namevinxqz9.ddns.net:2222

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6002469745:AAHuEUiQz-H6uExS5y2LdiMMzm6FPiiVXuw/sendMessage?chat_id=6067717150
Attributes
  • delay

    2

  • install

    true

  • install_file

    SecurityHealthSystray.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Targets

    • Target

      Craxs_Rat_V4.rar

    • Size

      196.0MB

    • MD5

      3a9b4a471bd24ab6b31d7a1154be9e8d

    • SHA1

      641239f0ffeababb63b4367a276df3096bd6b083

    • SHA256

      32ab2efc11d1b38e7530c93bab00ee327e6657d30c4105d9eafee2b8e143b829

    • SHA512

      35a21a05c2ac5630d851b0113bb16ab516c356265465c91f1f64d6256e47923c8ecd4566b9326a760b5f8219a407d2ef305983e9e5c9bccd2b6da92b1c3d11fb

    • SSDEEP

      3145728:7IXHuQYfgMVpnN4X7qvus7lHHYa8WsSkyZT25OH5kN4NQ908t24lZT25OZbU3IoH:7i/g/nNy7qvus7lnF8v4ykkRm0yP8SkY

    Score
    10/10
    asyncratstormkittydefaultadwareevasionpersistenceratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Async RAT payload

      rat

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks