Overview

overview

10

Static

static

1

Invoice#11...64.wsf

windows7-x64

10

Invoice#11...64.wsf

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice#1136309464.iso

  • Size

    898KB

  • Sample

    240605-n3dp3afe99

  • MD5

    87d66ac004a13b5e303e8789bd137ca9

  • SHA1

    1ee82232a77d898fc54ab7b34b37c88f7a8e1f6a

  • SHA256

    a1ce6b762cb741d0da79d433721258c01cdd1794b00fef95d78e324c07202df2

  • SHA512

    8cbb6361ef73dbce740ad70f589759654c10d1e1fb65d57fd8c494cb37787c416196fb07c7139badbd9976a0717c2a867e90470e9fe6fc55c414599d892b3ddc

  • SSDEEP

    384:8sTu8Qyg9R6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6wR6cR6cR6cR6cR6cR6cD:8s6+4JElDTo

Score
10/10
asyncratstormkittyxenarmorkaremcollectionevasionexecutionpasswordratrecoveryspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://162.244.210.92:333/kok.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://nodejs.org/download/release/latest-v0.12.x/node.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Karem

C2

kareemovic11.duckdns.org:6606

kareemovic11.duckdns.org:7707

kareemovic11.duckdns.org:8808
Mutex

AsyncMutex_kinsdlmsjnsidhuybf

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Invoice#1136309464.wsf

    • Size

      107KB

    • MD5

      ab87b1030210083dfb5b1e4f11647846

    • SHA1

      c53b4eaece77ca95b11b0facb82fc81af7e6735b

    • SHA256

      5569aaf9f9d3e53647419506c0cb256ac27d7538d2544a7031c2d7d31df0cb58

    • SHA512

      2980941237f69d4ebf380af918144f7a9acef04d7ca195f2e1531e1de6ea2ded17ce0115fd66db5fc7d526397634d22ec80ee33d987f25ca369de0558d672735

    • SSDEEP

      384:qR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6wR6cR6cR6cR6cR6cR6cR6cR6cR6N:14JElDTR

    Score
    10/10
    asyncratstormkittyxenarmorkaremcollectionevasionexecutionpasswordratrecoveryspywarestealertrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • UAC bypass

      evasiontrojan

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook accounts

      collection

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Credential Access

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks