General
-
Target
creative sound blaster.exe
-
Size
272KB
-
Sample
240710-zw8seasdkd
-
MD5
ec3968fd0cf6b025017dbb83249de6f2
-
SHA1
e1805d0f7984f46819320f2121fc67948c0cdfa5
-
SHA256
3537198ebe7eb84bea0eaf47c3955d02b7d6b0d94cef1415d25c1558191a19bd
-
SHA512
f73da223c70fe28f0f0515d17c56e3c8f2ced64894489749a9ad02822995e72429b6ab50963d84676a3de1f76d48bc5952cbb98f044376929332964fb228c509
-
SSDEEP
3072:pUTcxgTEiPMVTb3SH1bnrgYQgy9ckYMmlB/v6A80XH3e55EVu9cBY:pCEiPMVTbiVb0YS5YM6VyA80XHbUe
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
dllhost.dat
147.185.221.21:5552
147.185.221.21:6643
evyjfpsdxkkqc
-
delay
1
-
install
true
-
install_file
dllhost.dat.exe
-
install_folder
%AppData%
Targets
-
-
Target
creative sound blaster.exe
-
Size
272KB
-
MD5
ec3968fd0cf6b025017dbb83249de6f2
-
SHA1
e1805d0f7984f46819320f2121fc67948c0cdfa5
-
SHA256
3537198ebe7eb84bea0eaf47c3955d02b7d6b0d94cef1415d25c1558191a19bd
-
SHA512
f73da223c70fe28f0f0515d17c56e3c8f2ced64894489749a9ad02822995e72429b6ab50963d84676a3de1f76d48bc5952cbb98f044376929332964fb228c509
-
SSDEEP
3072:pUTcxgTEiPMVTb3SH1bnrgYQgy9ckYMmlB/v6A80XH3e55EVu9cBY:pCEiPMVTbiVb0YS5YM6VyA80XHbUe
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Async RAT payload
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2