General
-
Target
Server.exe
-
Size
920KB
-
Sample
240922-wlv7sasfjk
-
MD5
df9eddff9512b4eff624b492bdb8c791
-
SHA1
aa4623f25c3aa1687cc38b179246ae5874ee017f
-
SHA256
3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59
-
SHA512
d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e
-
SSDEEP
12288:4MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9niwQiKDKqaAs:4nsJ39LyjbJkQFMhmC+6GD9nhKeFf
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7409950713:AAGOgqTx-C_IXW4TMVH0D3NzyJW8XztSM_c/sendMessage?chat_id=6059920057
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Server.exe
-
Size
920KB
-
MD5
df9eddff9512b4eff624b492bdb8c791
-
SHA1
aa4623f25c3aa1687cc38b179246ae5874ee017f
-
SHA256
3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59
-
SHA512
d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e
-
SSDEEP
12288:4MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9niwQiKDKqaAs:4nsJ39LyjbJkQFMhmC+6GD9nhKeFf
-
StormKitty payload
-
Async RAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1