General
-
Target
Server.exe
-
Size
175KB
-
Sample
240808-p126batdnm
-
MD5
d26f580a002f00b4d5a855c07039d5c2
-
SHA1
6822685b1e1c57952c19ba9dc01ef9f94301ceb6
-
SHA256
1afc6f0b461fe194e24493a0c57c8320518ebbd50b74234caac0c578e6843380
-
SHA512
b48930243c189ca1be64acfba838683882a5bb687db4e2dc09fa39e511138448818845edc78c60b503b6f00624c7cc1f47efc27985e71953c573bb83153cb2c2
-
SSDEEP
3072:Fe8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTXwARE+WpCc:J6ewwIwQJ6vKX0c5MlYZ0b2Q
Behavioral task
behavioral1
Sample
Server.exe
Resource
win10-20240611-uk
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10-20240404-uk
Behavioral task
behavioral3
Sample
Server.exe
Resource
win10v2004-20240802-uk
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6494429721:AAFZ5aGg7XGnRClTicbjFHgBuAWHYq2zITI/sendMessage?chat_id=6234857847
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Server.exe
-
Size
175KB
-
MD5
d26f580a002f00b4d5a855c07039d5c2
-
SHA1
6822685b1e1c57952c19ba9dc01ef9f94301ceb6
-
SHA256
1afc6f0b461fe194e24493a0c57c8320518ebbd50b74234caac0c578e6843380
-
SHA512
b48930243c189ca1be64acfba838683882a5bb687db4e2dc09fa39e511138448818845edc78c60b503b6f00624c7cc1f47efc27985e71953c573bb83153cb2c2
-
SSDEEP
3072:Fe8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTXwARE+WpCc:J6ewwIwQJ6vKX0c5MlYZ0b2Q
-
StormKitty payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1