General
-
Target
20f0f8622c856bf79b4b4b740c4dbe961a04dc7a290d9375093eb0e7c01c9c6f
-
Size
741KB
-
Sample
241013-x9ck1syelq
-
MD5
49a235f58aa7c4ee39535a7f81e67bea
-
SHA1
39a0ff2c70e01ec04d4ea45b19ccad37615446d9
-
SHA256
20f0f8622c856bf79b4b4b740c4dbe961a04dc7a290d9375093eb0e7c01c9c6f
-
SHA512
d53fe2cd7e49a844a8dfd09f8dd673e85fd50670b36d2668dffa5449d3e49a6ae369ddf1082097bd3a93d8a1b214a2028b0a2ea3d06c758690a25b16ae5578e3
-
SSDEEP
12288:Z0nyfXuIBDtfu3d34SafixO5Sizm4qT9c4jF0ju+mZMk:Wny/f9utISauqU9cU4u+uZ
Static task
static1
Behavioral task
behavioral1
Sample
20f0f8622c856bf79b4b4b740c4dbe961a04dc7a290d9375093eb0e7c01c9c6f.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
20f0f8622c856bf79b4b4b740c4dbe961a04dc7a290d9375093eb0e7c01c9c6f.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7386776614:AAE49J6grELkpFfFaKkddIuaU586DDiQPYY/sendMessage?chat_id=5373795817
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
20f0f8622c856bf79b4b4b740c4dbe961a04dc7a290d9375093eb0e7c01c9c6f
-
Size
741KB
-
MD5
49a235f58aa7c4ee39535a7f81e67bea
-
SHA1
39a0ff2c70e01ec04d4ea45b19ccad37615446d9
-
SHA256
20f0f8622c856bf79b4b4b740c4dbe961a04dc7a290d9375093eb0e7c01c9c6f
-
SHA512
d53fe2cd7e49a844a8dfd09f8dd673e85fd50670b36d2668dffa5449d3e49a6ae369ddf1082097bd3a93d8a1b214a2028b0a2ea3d06c758690a25b16ae5578e3
-
SSDEEP
12288:Z0nyfXuIBDtfu3d34SafixO5Sizm4qT9c4jF0ju+mZMk:Wny/f9utISauqU9cU4u+uZ
-
StormKitty payload
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1