Extracted

• • Target

    Server.exe

  • Size

    920KB

  • MD5

    df9eddff9512b4eff624b492bdb8c791

  • SHA1

    aa4623f25c3aa1687cc38b179246ae5874ee017f

  • SHA256

    3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59

  • SHA512

    d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e

  • SSDEEP

    12288:4MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9niwQiKDKqaAs:4nsJ39LyjbJkQFMhmC+6GD9nhKeFf

  Score

  10^/10

  asyncratstormkittydefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Async RAT payload

    rat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  behavioral1behavioral2