Extracted

Extracted

• • Target

    3644f9a06d97f903a5ceebdd7f2f4500.exe

  • Size

    222KB

  • MD5

    3644f9a06d97f903a5ceebdd7f2f4500

  • SHA1

    53ed26fba664d03b0e2423d6da7235c983fe2a1e

  • SHA256

    bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56

  • SHA512

    f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a

  • SSDEEP

    6144:zVW1Fk5kc9tepTde06Or1HVSuZyfbqLW:JWnYt0hHVSuTLW

  Score

  10^/10

  asyncratstormkittydefaultpersistenceprivilege_escalationratspywarestealer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Async RAT payload

    rat

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2