Overview

overview

10

Static

static

7

System.exe

windows10-1703-x64

10

System.exe

windows7-x64

10

System.exe

windows10-1703-x64

10

System.exe

windows10-2004-x64

System.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    System.exe

  • Size

    3.4MB

  • Sample

    240531-eskaesff93

  • MD5

    fb19368b80bb083a67bea154f2e7f4a6

  • SHA1

    7bb20b8ee40c9f94dd77b8cd35920b1ba651ae86

  • SHA256

    92ab9ed68950db61024eb5c5180f0019281a3bec96cd5a2f7305f450de064d4f

  • SHA512

    9fc041c4404602469314cf29cdae55d720bb26e8b37d774b13f7483a160c7fd0daea8d6274e7113a2c524630bf90d3b04513d04e19fe3f9cb216b44502f7c4f2

  • SSDEEP

    49152:OnT6jNyvZdHzYjd3deChH/GBtNNwxry+3u1IRgQo37xcoMuFVhDb5Xqx:fQZdHod3ACBGBX+HgQvwV56x

Score
10/10
asyncratstormkittydefaultcollectiondiscoveryevasionratspywarestealerthemidatrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.5

Botnet

Default

Mutex

umldzqgmsvrmiibib

Attributes
  • c2_url_file

    https://paste.fo/raw/53957c5e1888

  • delay

    1

  • install

    true

  • install_file

    Registry.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      System.exe

    • Size

      3.4MB

    • MD5

      fb19368b80bb083a67bea154f2e7f4a6

    • SHA1

      7bb20b8ee40c9f94dd77b8cd35920b1ba651ae86

    • SHA256

      92ab9ed68950db61024eb5c5180f0019281a3bec96cd5a2f7305f450de064d4f

    • SHA512

      9fc041c4404602469314cf29cdae55d720bb26e8b37d774b13f7483a160c7fd0daea8d6274e7113a2c524630bf90d3b04513d04e19fe3f9cb216b44502f7c4f2

    • SSDEEP

      49152:OnT6jNyvZdHzYjd3deChH/GBtNNwxry+3u1IRgQo37xcoMuFVhDb5Xqx:fQZdHod3ACBGBX+HgQvwV56x

    Score
    10/10
    asyncratstormkittydefaultdiscoveryevasionratspywarestealerthemidatrojancollection

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Tasks