Resubmissions

01-10-2024 19:23

241001-x3tkyszekh 10

01-10-2024 19:14

241001-xxtc1awdmj 10

30-09-2024 22:07

240930-11v8jsxdnm 10

30-09-2024 21:59

240930-1wfmas1crg 10

30-09-2024 20:26

240930-y8bg1atepl 10

26-09-2024 20:34

240926-zcgvkszbmg 10

26-09-2024 19:28

240926-x6rkrstfrr 10

26-09-2024 19:21

240926-x2mq1swhnh 10

26-09-2024 19:20

240926-x19jdstdpl 10

25-09-2024 21:15

240925-z4dx1a1elf 10

General

  • Target

    RebelCracked.exe

  • Size

    344KB

  • Sample

    240925-y5me4awbql

  • MD5

    a84fd0fc75b9c761e9b7923a08da41c7

  • SHA1

    2597048612041cd7a8c95002c73e9c2818bb2097

  • SHA256

    9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

  • SHA512

    a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a

  • SSDEEP

    6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      RebelCracked.exe

    • Size

      344KB

    • MD5

      a84fd0fc75b9c761e9b7923a08da41c7

    • SHA1

      2597048612041cd7a8c95002c73e9c2818bb2097

    • SHA256

      9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006

    • SHA512

      a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a

    • SSDEEP

      6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks