Extracted

• • Target

    7oQoGzh.txt

  • Size

    10KB

  • MD5

    f9f5ed4701f42db8220e2475fb7acd4b

  • SHA1

    0c6a26d6dc514f0ef6caf2e318b0ff4beb714b3b

  • SHA256

    76d4ee5ec5ccfe4ab753df085bd6ff3a8dec2dc74b1d4f2f0c4e383ff76259fe

  • SHA512

    7e11a18779d077aadae48570136f87ece6a070cd11f0555e5a687f486d82841bb72bcf82ae54d0320e311c2c43c6dfcd766b28f0d43c631aa75863aecaa13b3a

  • SSDEEP

    192:VbbzEdixAkWQwtCNyX5JAu3e566uPoxKgWPH82gk2g7gQKFahi8v:VbU4uCNyX5JAu3e566Hx6f82gk2Mv

  Score

  10^/10

  asyncratstormkittydefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Async RAT payload

    rat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory

  • Enumerates processes with tasklist

    discovery
  behavioral1