Overview

overview

10

Static

static

10

Bltools 2....O].rar

windows10-2004-x64

3

Bltools 2....FS.dll

windows10-2004-x64

1

Bltools 2.....1.exe

windows10-2004-x64

10

Bltools 2....et.dll

windows10-2004-x64

1

Bltools 2....se.dll

windows10-2004-x64

1

Bltools 2....rs.dll

windows10-2004-x64

1

Bltools 2....pf.dll

windows10-2004-x64

1

Bltools 2....rs.dll

windows10-2004-x64

1

Bltools 2....pf.dll

windows10-2004-x64

1

Bltools 2....gs.ini

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bltools 2.9.1[PRO].rar

  • Size

    5.3MB

  • Sample

    241007-n253xstfnr

  • MD5

    83668ca279e85a7ea770ff50286c2de5

  • SHA1

    39dc5480d27acd4032f8de87a196d9edf697a818

  • SHA256

    aa6d77b243f9397fc5ab618f515a9dc82358c93d94cc270bd9d4f98910ee4da5

  • SHA512

    e68bd0820c0661dd2303863db4073481975cc66645cbfa975e4fdc8eeafc3b22e680939caaf101355fdd4d52fa5ac5d96d53794a20dc2b6bef12f40eed7d4daa

  • SSDEEP

    98304:DEEJZVc6vgOV/defmaZzssI5BPIoDSHN/OdC4CjIJ79ngXZWakuSBP1HfZeZ+k7:D9JZn1/aZzz2PIJHAdOE9gZW9uo1/ZE

Score
10/10
asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7044437613:AAEXeS1SKGTrEjQ8F-7vSegWo8OLABeJY5k/sendMessage?chat_id=6052812018
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Bltools 2.9.1[PRO].rar

    • Size

      5.3MB

    • MD5

      83668ca279e85a7ea770ff50286c2de5

    • SHA1

      39dc5480d27acd4032f8de87a196d9edf697a818

    • SHA256

      aa6d77b243f9397fc5ab618f515a9dc82358c93d94cc270bd9d4f98910ee4da5

    • SHA512

      e68bd0820c0661dd2303863db4073481975cc66645cbfa975e4fdc8eeafc3b22e680939caaf101355fdd4d52fa5ac5d96d53794a20dc2b6bef12f40eed7d4daa

    • SSDEEP

      98304:DEEJZVc6vgOV/defmaZzssI5BPIoDSHN/OdC4CjIJ79ngXZWakuSBP1HfZeZ+k7:D9JZn1/aZzz2PIJHAdOE9gZW9uo1/ZE

    Score
    3/10
    behavioral1

    • Target

      Bltools 2.9.1[PRO]/Bltools 2.9.1[PRO]/AlphaFS.dll

    • Size

      359KB

    • MD5

      f2f6f6798d306d6d7df4267434b5c5f9

    • SHA1

      23be62c4f33fc89563defa20e43453b7cdfc9d28

    • SHA256

      837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd

    • SHA512

      1f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211

    • SSDEEP

      6144:QDyJst+jyCnzLp9hvHsPvPvPvS2JQvlojidPp:QDyJsvCnzZf4U1d

    Score
    1/10
    behavioral2

    • Target

      Bltools 2.9.1[PRO]/Bltools 2.9.1[PRO]/BLTools v2.9.1.exe

    • Size

      3.5MB

    • MD5

      8d90b06ac8babfeaccde7433b1248669

    • SHA1

      515b3b688b1d69d7b3f97704dffabf568415bdf1

    • SHA256

      80eb6a5b248c61b859c04e60af28a2689e9c86546f3a3ec492066a198087f3d9

    • SHA512

      ede247553ed0ee3d1da449d6184d81e61873da12aeebb9e1be1d6dc9bad5c05a37e32d322164d94d45628a7d5a6d5bd044b25c70a8ada2c146a5c0039f2a586e

    • SSDEEP

      98304:3z7+TEjqbFZN2l9OqOj/VCB1CRSHgmYrrwCYM:3uTeqbzN69OqOjmURSAmYp

    Score
    10/10
    asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3

    • Target

      Bltools 2.9.1[PRO]/Bltools 2.9.1[PRO]/Extreme.Net.dll

    • Size

      121KB

    • MD5

      f79f0e3a0361cac000e2d3553753cd68

    • SHA1

      4314bcef76fddc9379a8f3a266b37d685d0adb79

    • SHA256

      8a6518ab7419fbec3ac9875baa3afb410ad1398c7aa622a09cd9084ec6cadfcd

    • SHA512

      c77516e7f5540ecd13fa5d8cecfce34629acecd9b5a445f5f48902c9e823328fa9a6694ecaa39f5b6053de61c2b850c2d87df25357548afaad6ec37eb3e5e355

    • SSDEEP

      3072:bdoECIgjBibgp2tBqL0Y++ruXqMG4ih3lbpMqc:bdoECIgUrG

    Score
    1/10
    behavioral4

    • Target

      Bltools 2.9.1[PRO]/Bltools 2.9.1[PRO]/License.dll

    • Size

      11B

    • MD5

      d76bf73f3d3768a4589e72a7b2b83088

    • SHA1

      9e6d246ddb9ae2438fcc1d12534e54c84bc38382

    • SHA256

      eaab53f4b23c3cc9e3c9d4d5d4689438146519e69c7063f4f15b0a43dd861f7b

    • SHA512

      519e9210e9d751a524cf49ceff2e7ddd096f679760a0807d9ee6a3f0870d418336d5004bfd54b94a749f17f3ba85dc404d2cc700fdb3bee1610aba727d428eaf

    Score
    1/10
    behavioral5

    • Target

      Bltools 2.9.1[PRO]/Bltools 2.9.1[PRO]/MaterialDesignColors.dll

    • Size

      295KB

    • MD5

      5c108c4da6d03f0fa2c3b4dc7890cb52

    • SHA1

      48af67b6166068b6f138306bbd1157c7583c6e73

    • SHA256

      b5ec30c93b1d2b4631ee2b178750ec92e302e2e331090ec9783981b9572354f8

    • SHA512

      48d055610eead361809bd839c66ccdca1d5e0d9dffe15af9d15afa106ee7791c8b17acb91f2aba5cf3dda2997b049bcf70b43c3b56b8b01f1fc7bb845ce6c91b

    • SSDEEP

      1536:wr1In+fq1fDfDemxD0EsXpGX0EOAcTtU7fKoVxbzQcV:G1WB1PerAjOAj7fKoVxb1V

    Score
    1/10
    behavioral6

    • Target

      Bltools 2.9.1[PRO]/Bltools 2.9.1[PRO]/MaterialDesignThemes.Wpf.dll

    • Size

      9.1MB

    • MD5

      824cbf63999f954aa1747f79586a4d3c

    • SHA1

      5f1cd6346a45024bbbe09e304c12b6f6bf227d5c

    • SHA256

      344e2cee979e979932f504dc76bd75e97ae1ff46caa3fe2795adfe0a866347f7

    • SHA512

      d36149f7cb5ffc62dac6bb4521105d09fac988de567e181fdca4f23e5079aca5f4292e1d314f797f1a597263ddac0210060cb71c111565717e3a288a47770c51

    • SSDEEP

      98304:PW8EOPXJDntBksKY+ND3WyA4+TLVei10vMzPv8/4C8B5XVS49Xzy83IiEcJMrCRM:PW8lnJ45/9iD54+V11bFv4z

    Score
    1/10
    behavioral7

    • Target

      Bltools 2.9.1[PRO]/Bltools 2.9.1[PRO]/Microsoft.Xaml.Behaviors.dll

    • Size

      142KB

    • MD5

      95f46f34c099421d917d5feadbb33edb

    • SHA1

      3d1cb9cf59000012734901a35baeb3d9c1dd5db3

    • SHA256

      8e77a1dd5e2df4d4af801376cc3428b082eb49fcb6e647b933967fae12ad9d5d

    • SHA512

      c9c9f72980316c68ad2a8dbe2c6c563c0deddfc9e845674d0e2f5313a0ae285d60a755e2ca04164f78b37a36521259307b3eb7d43f5ec9a9de5507bda7e4c1b8

    • SSDEEP

      3072:lN+EM1X0WlL9JAn11M1dXcGkOsizI35rCj8SIP:v+ll79in1h6

    Score
    1/10
    behavioral8

    • Target

      Bltools 2.9.1[PRO]/Bltools 2.9.1[PRO]/Ookii.Dialogs.Wpf.dll

    • Size

      103KB

    • MD5

      932ebb3f9e7113071c6a17818342b7cc

    • SHA1

      9ce2d08bc3840632092325abcc8d842eeb8189d4

    • SHA256

      285aa8225732ddbcf211b1158bd6cff8bf3acbeeab69617f4be85862b7105ab5

    • SHA512

      6b6086cff7b916c0c4536e3c7cba4ba17d6c4be2e4a88a5877be852e197f1f9c9c120d1295acf2b4277a9badd8cfd229ef3c1ab2049d0aeec22d3033be156141

    • SSDEEP

      1536:qgoPBGuyAy52V+gtTLq6ZUc68h8O0SB/XBboIawHUPV5bKLh8sm6b0gl:qgwBGu2IV+ghd68WOxXBbx+5of

    Score
    1/10
    behavioral9

    • Target

      Bltools 2.9.1[PRO]/Bltools 2.9.1[PRO]/Settings.ini

    • Size

      3KB

    • MD5

      8503127ca07906ec4f265e9c181bc639

    • SHA1

      48549e253334d085d51d3adbd16a0525660b41a4

    • SHA256

      d3acbee9af708df5d76792cfb2bd5091a866bc8cb4ce33d5329e81ad61ced022

    • SHA512

      12a7f130cfac34e6c73bde85c860792df0ad2e24f4163fd2e881f672bbbc3cc8a0bd65fa944a4757fac06dde12887680a7491222783b7c1bc5a55fbc4033abef

    Score
    1/10
    behavioral10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks