Overview

overview

10

Static

static

10

Cc Combo.exe

windows7-x64

10

Cc Combo.exe

windows10-2004-x64

10

CefSharp.exe

windows7-x64

7

CefSharp.exe

windows10-2004-x64

7

hitter.exe

windows7-x64

7

hitter.exe

windows10-2004-x64

7

ldap60.exe

windows7-x64

1

ldap60.exe

windows10-2004-x64

3

ucrtbase.exe

windows7-x64

3

ucrtbase.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CCCheckerbY.king200l.zip

  • Size

    12.8MB

  • Sample

    240912-ybpncs1akp

  • MD5

    76971b42caf7b1b8fd69d4844e23946c

  • SHA1

    bcc5125efbfc96d0a3f8d600b35cef0ba4e70118

  • SHA256

    21ce45bf74febeeb420e9b63283c5ef6840463692adc17ac92e722b1a0dd149f

  • SHA512

    9c0f995b2ffee53a169bdce8ea230f3ac7fe61025a4c3f7e99ad7c013d6b8d3a95a5ff4b00cdabe717f042a79930396b9b9e6aec4a5aaf649aae641e21c3a008

  • SSDEEP

    393216:9SREyK++0hOaAJMoA8nvTb0rmo5xLZQqZyWJ1T/Nas4ucw:9SE0h50MoA40P5xLFZ0HQ

Score
10/10
asyncratstormkittydefaultcredential_accessdiscoverypersistenceprivilege_escalationpyinstallerratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7014456621:AAE7BXbm_jQfLpnUdyLpTUwGXyLN5AXvThw/sendMessage?chat_id=7389740990
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Cc Combo.exe

    • Size

      232KB

    • MD5

      e074dece1afd2a20f7e479a8319a7857

    • SHA1

      9f8ae4d5373955498cb15d1b75f190e105f23186

    • SHA256

      cdcfe612d9253b3104b432ff622a9f7a4271059eb3ded0b2f056be9d9950d78f

    • SHA512

      5f232ed6f0dc29d913571614b39e353ea08941dde9ec07ca7925a5de17b97b1526e4f548421f703677a3b19babb4bc00310966e31f2a0bad02ff4bfa97b2a2a0

    • SSDEEP

      6144:DDubaBBOBIIj6HLLYLCYJqvc1DegW1Db/Q/HbMhQLYiUJiz1o/65:GbaVgibWJLYxJem/6

    Score
    10/10
    asyncratstormkittydefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

    • Target

      CefSharp.bin

    • Size

      11.5MB

    • MD5

      0ebc3f8d0fb85e9ae03e865a9eb8b514

    • SHA1

      150f4ad28d204d5c19d01868473d7bc8093605af

    • SHA256

      85a3726de7540cf58d99220fb298242187862c7fa73cbde5c4e6b0ff529b3aad

    • SHA512

      8e6d8141b2f818fc7be60831931f883813a0b5f6df97565616e18b2bf717e01a3c3c0fe595a6eb85c76b07454e15efa017a2285e2dab94e5e24cf1f101535c66

    • SSDEEP

      196608:6imkJc45SyY+GOe42yOFuWJysVYvsOXoyMxxvjDDAxms48RmU/3ZlsPvqHm4f53P:usnSyY+k4tOsWJooyMxtDDAxmstN3ZWG

    Score
    7/10

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      hitter.exe

    • Size

      803KB

    • MD5

      271c1dbe51eead7ad42dddcf6fb3561e

    • SHA1

      e55de3a2829e50ba726fb0b33c4d96c0989e2c7d

    • SHA256

      588d4a5a26d8cc2b0a76b4d89808e770c73018fdbbd76a859035acfc26d97f6d

    • SHA512

      df790cfb8f72e9d13d3e761ac58a3b82b356230a338d5464f835c1d408e50077990d4494ee9fe37578cfa8e743e943beede7d5fac99bd3982eacb3b93b400ea8

    • SSDEEP

      24576:BLewAwfU9LMrT8vu/B98x1609m6qfsTtUz7sLEB:4wAwfU9LMr/B98x1609vJUPsgB

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      ldap60.lib

    • Size

      238KB

    • MD5

      4e6a7ee0e286ab61d36c26bd38996821

    • SHA1

      820674b4c75290f8f667764bfb474ca8c1242732

    • SHA256

      f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3

    • SHA512

      f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

    • SSDEEP

      3072:6sGTNBBPt3lBtx5ebLDCc0p00JakwEn0ZtAq0nHHdNwooe+6t3ieCx9UWPrcFw+z:ID5t3lBrGdkwFi3HHdN1Zt9CxVgeH

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      ucrtbase.cfg

    • Size

      211KB

    • MD5

      59238144771807b1cbc407b250d6b2c3

    • SHA1

      6c9f87cca7e857e888cb19ea45cf82d2e2d29695

    • SHA256

      8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b

    • SHA512

      cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

    • SSDEEP

      3072:CFITGLr+kmeUE2+YA8zuxD1gb/uVVohUFVEovODl9ply5nk/7K1bjT5h3qs:CbLUEkAtvaumhUXvwl9P62

    Score
    3/10
    discovery
    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks