asyncrat

Sharing

Copy URL

Twitter E-mail

General

Target

Hotmail checker.rar
Size

587KB
Sample

240527-p382mseb85
MD5

09958c59cc6e2150b9e9dff66cea430f
SHA1

6428868d876798d8a771f8ff646c25de939a7b79
SHA256

04769a8d5fa808e222187311d377b7033ff366494a7aaaf8044329d22b289175
SHA512

78b493638ac61c51721d0cdc7426188e65eeb0f65c1ad6377be78466f5d7960630b4601adec8a41aa740df5e0541b6e3987c9ce34e8c40f8b5ceb556b7192b4c
SSDEEP

12288:psW9I5QGMHa5MmMoOI5iaKiGYjDRmbQyNx03YEYq7X8B:p8eGqm5OyiHiGxxBB

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6003478563:AAG3aliPXpD1ZldBFn1R2thp1ARU2PprMtU/sendMessage?chat_id=6052812018

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Hotmail checker/Colorful.Console.dll
- Size
  
  88KB
- MD5
  
  9f6ce7ff934fb2e786ced3516705efad
- SHA1
  
  6e7bcc7b8a5d0e2e46c15a8e0f0c76129d170b61
- SHA256
  
  59a3696950ac3525e31cdd26727dabd9fecd2e1bdc1c47c370d4b04420592436
- SHA512
  
  d61674649fa9a091aa379fe1c227e42eb6cfd3226ad1e26ef089b747fce98b96f4eb78d736c24d6f5f60c4980bb1043ec0f1ef0d69f126870448129a47e22578
- SSDEEP
  
  1536:dJ1J4aE966w/2DtgNpWFbCagAHM9uTC/bR:dC796R/ObCagAs9uTgV
Score

1^/10
behavioral1 behavioral2
- Target
  
  Hotmail checker/Hotmal new checker.exe
- Size
  
  1.1MB
- MD5
  
  ce94631ddcb5fc30c305ce32e49a05a5
- SHA1
  
  f0b656e3a2042d5a58b821962e2b8f0f10fa1ec4
- SHA256
  
  900db12322da42a224e4df96487ca1446d456d72580976a5f102e430ecb16ddd
- SHA512
  
  966497e841950ca55677f24570b331ba2638e34249edd6385b2332c453166315f5d72467bb83a246124dbeb2bcfb0c4044b22e98b44be4b6181c7a3e8ef8f891
- SSDEEP
  
  6144:aSncRlHDubaBBOBIIj6HLLYLCYJqvc1D60Xbywj/c9aqX9bxD/e00sNjT6lmRkss:34kbaNEc9a2/d0Oylmq
Score

10^/10

asyncrat stormkitty default rat spyware stealer vmprotect
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral3 behavioral4
- Target
  
  Hotmail checker/Leaf.xNet.dll
- Size
  
  129KB
- MD5
  
  ea87f37e78fb9af4bf805f6e958f68f4
- SHA1
  
  89662fed195d7b9d65ab7ba8605a3cd953f2b06a
- SHA256
  
  de9aea105f31f3541cbc5c460b0160d0689a2872d80748ca1456e6e223f0a4aa
- SHA512
  
  c56bd03142258c6dcb712d1352d2548a055fbb726ee200949d847cb2d23d9c52442b1435be0df0bf355701a2c1a3c47cd05b96972501f457d2d401501d33d83a
- SSDEEP
  
  3072:gE3OJDHIfFLlL3pPiqhcLS/oZhttaMBM2cid:gHWZxJiqO
Score

1^/10
behavioral5 behavioral6
- Target
  
  Hotmail checker/Newtonsoft.Json.dll
- Size
  
  685KB
- MD5
  
  081d9558bbb7adce142da153b2d5577a
- SHA1
  
  7d0ad03fbda1c24f883116b940717e596073ae96
- SHA256
  
  b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
- SHA512
  
  2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
- SSDEEP
  
  12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
Score

1^/10
behavioral7 behavioral8
- Target
  
  Hotmail checker/xNet.dll
- Size
  
  101KB
- MD5
  
  693581cced4345f17781e0e69d9a730a
- SHA1
  
  c7daf61527086ecff5e1a1b9a5e1a3f701501d54
- SHA256
  
  52567b98a436f0a162ad631f1798be0d45222a0e6f80c54410e2bd3c2fb21bb3
- SHA512
  
  359103f66942f75192b625db314359a9752096521751d5f2eb05c3b32079a92a629ccebc785e9d5b53f825baba1b109ee6bc3a4f41345e24becd0c367dd879bd
- SSDEEP
  
  3072:MWVymHfHrBxNZvqxGWQEOcEzY3wihe0Y7UTryqnV+xnEdd:MWVL/NyGWQEOcLyqnV+xnEd
Score

1^/10
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

StormKitty

StormKitty payload

Async RAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

VMProtect packed file

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10