Overview

overview

10

Static

static

3

Rebel.7z

windows7-x64

3

Rebel.7z

windows10-2004-x64

3

Rebel/Bin/...or.exe

windows7-x64

5

Rebel/Bin/...or.exe

windows10-2004-x64

5

Rebel/Bin/Rebel.dll

windows7-x64

1

Rebel/Bin/Rebel.dll

windows10-2004-x64

1

Rebel/Fast...ox.dll

windows7-x64

1

Rebel/Fast...ox.dll

windows10-2004-x64

1

Rebel/Fast...ox.xml

windows7-x64

3

Rebel/Fast...ox.xml

windows10-2004-x64

1

Rebel/ReadMe.txt

windows7-x64

1

Rebel/ReadMe.txt

windows10-2004-x64

1

Rebel/Rebe...ed.exe

windows7-x64

10

Rebel/Rebe...ed.exe

windows10-2004-x64

10

Rebel/Syst...om.dll

windows7-x64

1

Rebel/Syst...om.dll

windows10-2004-x64

1

Rebel/Syst...om.xml

windows7-x64

3

Rebel/Syst...om.xml

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Rebel.7z

  • Size

    8.0MB

  • Sample

    240903-ydz7waveqj

  • MD5

    06598c035db9cbdfd2577ded793b97a4

  • SHA1

    e2de172829430cecc3dc35b6e37167f13e75b301

  • SHA256

    ebf1f88870aadeb5f22a893b6670c6ac9aaccef37dad26317e000146e3cc8a41

  • SHA512

    502c56f1c45ee81818c119266eb1e782acabd5dfe2bc7c34c7ec4bb1dae2cb4905a19a6a9b86f761a189d02e972b17a156758f3ed7757545353d4480142a0931

  • SSDEEP

    98304:WXd9vCIRiRGhnMj5gm0y0BAdZouKmQbbjktSZyv3vPYdlQ89lc9uYPvANDntb4/6:UhnayBEAyfvPYdlQowtPvAVGHC

Score
10/10
asyncratstormkittydefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Rebel.7z

    • Size

      8.0MB

    • MD5

      06598c035db9cbdfd2577ded793b97a4

    • SHA1

      e2de172829430cecc3dc35b6e37167f13e75b301

    • SHA256

      ebf1f88870aadeb5f22a893b6670c6ac9aaccef37dad26317e000146e3cc8a41

    • SHA512

      502c56f1c45ee81818c119266eb1e782acabd5dfe2bc7c34c7ec4bb1dae2cb4905a19a6a9b86f761a189d02e972b17a156758f3ed7757545353d4480142a0931

    • SSDEEP

      98304:WXd9vCIRiRGhnMj5gm0y0BAdZouKmQbbjktSZyv3vPYdlQ89lc9uYPvANDntb4/6:UhnayBEAyfvPYdlQowtPvAVGHC

    Score
    3/10
    behavioral1behavioral2

    • Target

      Rebel/Bin/Injector.exe

    • Size

      4.8MB

    • MD5

      8da7ffaee1e5988d56e536d37a5e5d7d

    • SHA1

      ed799e5ec866ec3dff0bffb306de4b1ab2ca2361

    • SHA256

      7450c90fad1d9ed73652c7fee391adb41ee2c62d5d43f3bdcab945e3fdec5485

    • SHA512

      34579bfbee7ec802322b12cc91276dc440d2df63d8e02b55ec303a19b4a198810a97157cf82739d0c30a509928d797142cee133aec994f0c8f5c58c5a6aebd16

    • SSDEEP

      98304:2sscM3M0egRUUYdiVF0Zx5NMEuRdvwp1cpY1t83Szkkak0jIiGELfHNz:Vrf0egyUKiVF0rF+dmcQtQSzkkakuR7V

    Score
    5/10

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      Rebel/Bin/Rebel.dll

    • Size

      8.6MB

    • MD5

      660d2429fc5f088bd197fb0958303936

    • SHA1

      4189d1ba115f9e00caceb286f22655c6988e1eb6

    • SHA256

      c9b95b9204234edfab46912d21953e3a6985a6b7d50c4fd63372e3d5361c7f3d

    • SHA512

      9875fff045460f77dfc21cecd1de326d67778efd12fe8f53fc09bacfec807a9309752ed4bbb23653060fbee9152dd7c9a9bfda3a0c13c0375a1db932a02a197d

    • SSDEEP

      98304:kz+S5QwKbQLCsjIpdUqsQf3/sfRMyxl5dn5Sz29f49EzFgfVp+t:WrS2LXjIpyDS3/0aWfmC

    Score
    1/10
    behavioral5behavioral6

    • Target

      Rebel/FastColoredTextBox.dll

    • Size

      323KB

    • MD5

      8610f4d3cdc6cc50022feddced9fdaeb

    • SHA1

      4b60b87fd696b02d7fce38325c7adfc9e806f650

    • SHA256

      ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9

    • SHA512

      693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09

    • SSDEEP

      6144:0R0J4lx4/7BA4xvNdcwCOg04j0y5mwZkdmsqmLDi5eNH+Dl1SIP0:0R0J48lAovNd7CO34D4b4eNO

    Score
    1/10
    behavioral7behavioral8

    • Target

      Rebel/FastColoredTextBox.xml

    • Size

      132KB

    • MD5

      70d49dec6a333f1d94fb1e77c663525c

    • SHA1

      184b544e672f4c4cb9ed9cf010da568eed16623d

    • SHA256

      f3f2e537065317b6ce66dac64042e925bbcea65f00561f9860b7172c9ca07027

    • SHA512

      b78a3c4418a7c5014eb16e72f2113f00353e9e566942f7160067c826c47f1ec2752ae7ede796fc159fb9bae499d347f822401fbc4446e2556cbd680cd595c2e2

    • SSDEEP

      1536:45SVw7sekyF7o//t3zEzacGE5xa5lIV1/P5:45Sm7sekyxo//xzEz3GlM

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      Rebel/ReadMe.txt

    • Size

      13B

    • MD5

      1c6c20f0c324e98e38272f1245d24e11

    • SHA1

      bbb5dc3a18a532529ec6fa88c86542288dd979f7

    • SHA256

      4ca7414e2aba6d74826403afb6ccbcc1752297a1b61aced8808b75d80d212f2d

    • SHA512

      a30aed5a54580ad73f16ad237f82e2dc99c99d9645d40d1fbdf88a7d6c10c238b6967c011ba46c6084d409e4a37b41983d600146f93cd9250a810b7d784d8246

    Score
    1/10
    behavioral11behavioral12

    • Target

      Rebel/RebelCracked.exe

    • Size

      154KB

    • MD5

      76b3ef39824d31fde7ca5d27ae8700fa

    • SHA1

      c03994080a4f1038d4a624499acedcf0fea737f3

    • SHA256

      439096c4077b5a1ad2e2ad232fdaeeece05a72e6a69c16d11a624b665dc428f3

    • SHA512

      3246594017abe3c4e208ce270388feecf23ec3032de73bb380aaebd17030263ff00e8270b2ab901efa993c2e896cd28a091b2b9a49986c98cd974826641f240d

    • SSDEEP

      3072:0OovaAxpeK2dWUi60uu0JpZmTKv03lqUmPT01oSVeT5iu9d7:0OcpeK8lucpUCKlqUP/M

    Score
    10/10
    asyncratstormkittydefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Async RAT payload

      rat

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral13behavioral14

    • Target

      Rebel/System.CodeDom.dll

    • Size

      30KB

    • MD5

      59c830ac0d99f8c906292de85f804b84

    • SHA1

      68b6740e6ce97de8b1398f3a6e320940a0e16458

    • SHA256

      e8c88b0448083663910587efeacb6a1977749fe3ffe83b263fc01f7b63d7dfd2

    • SHA512

      4028fa6b68eb3a48bb9625e6755c8e3022283694bb603905af3db54c31bc2f7291aec11f7c42a033703f84c3ff265a19416eb8798058cc42ee3c14c633e9588f

    • SSDEEP

      384:FuE8ujCiLMTPji3h8241EEqYC0iIcwBxehzsCtZ7U6r1fDMqyt5/WduWTTb2HRNq:FDBCi4TWaveEqYChzZpgRoj/iP9zgBV

    Score
    1/10
    behavioral15behavioral16

    • Target

      Rebel/System.CodeDom.xml

    • Size

      366KB

    • MD5

      91af6294c77371e6773c35cfa7edd068

    • SHA1

      0c24bfafb91ab69a3a7a4bfbd15a9c346341c487

    • SHA256

      92287105a0987fc6ea2404e799da13f2d57b228a1fa3039a6d0cded00d4344c5

    • SHA512

      bdfb5c13ee54b88d029bae6a65f932bcf27b1d71a5c373325b2e7484d21d49745c2f3983da85d50aeb6e31febbf0bfcb3cbe46415bae15877c20d54522b65904

    • SSDEEP

      1536:l2e3vRrYxV4Tm0/Y/LFC9YmXVT2Y3mBhuzRKqn/gCOIFnffP6Ks5ATTglg2PLaAR:lK+c9

    Score
    3/10
    discovery
    behavioral17behavioral18

MITRE ATT&CK Enterprise v15

Tasks