Extracted

• • Target

    2191082c9e999a14dd03b32db48f6340N.exe

  • Size

    1011KB

  • MD5

    2191082c9e999a14dd03b32db48f6340

  • SHA1

    3bb2526708136e914f75c75277fa396aaf1318f6

  • SHA256

    6f6822221526a14ed2cee6b5be7de5cddd38ac435072838a11e64e03697dde59

  • SHA512

    a7d6ca30f63ade895789d66cf8cd0d359b769f1b58eaccd76fd231901a59b246b74cd307d5fea52528c71adbb4e224169cdc34183aaa90ee6199a6f4f10c8d5d

  • SSDEEP

    12288:hmw8d0ABzaZuOkdq5yxcf/SOfMAsJlXOsdFCHRdF:hm50UzaZuOk8/f/GAKYs3CHRd

  Score

  10^/10

  asyncratstormkittydefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Async RAT payload

    rat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  behavioral1behavioral2