General

  • Target

    20f0f8622c856bf79b4b4b740c4dbe961a04dc7a290d9375093eb0e7c01c9c6f

  • Size

    741KB

  • Sample

    241013-x9ck1syelq

  • MD5

    49a235f58aa7c4ee39535a7f81e67bea

  • SHA1

    39a0ff2c70e01ec04d4ea45b19ccad37615446d9

  • SHA256

    20f0f8622c856bf79b4b4b740c4dbe961a04dc7a290d9375093eb0e7c01c9c6f

  • SHA512

    d53fe2cd7e49a844a8dfd09f8dd673e85fd50670b36d2668dffa5449d3e49a6ae369ddf1082097bd3a93d8a1b214a2028b0a2ea3d06c758690a25b16ae5578e3

  • SSDEEP

    12288:Z0nyfXuIBDtfu3d34SafixO5Sizm4qT9c4jF0ju+mZMk:Wny/f9utISauqU9cU4u+uZ

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7386776614:AAE49J6grELkpFfFaKkddIuaU586DDiQPYY/sendMessage?chat_id=5373795817

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      20f0f8622c856bf79b4b4b740c4dbe961a04dc7a290d9375093eb0e7c01c9c6f

    • Size

      741KB

    • MD5

      49a235f58aa7c4ee39535a7f81e67bea

    • SHA1

      39a0ff2c70e01ec04d4ea45b19ccad37615446d9

    • SHA256

      20f0f8622c856bf79b4b4b740c4dbe961a04dc7a290d9375093eb0e7c01c9c6f

    • SHA512

      d53fe2cd7e49a844a8dfd09f8dd673e85fd50670b36d2668dffa5449d3e49a6ae369ddf1082097bd3a93d8a1b214a2028b0a2ea3d06c758690a25b16ae5578e3

    • SSDEEP

      12288:Z0nyfXuIBDtfu3d34SafixO5Sizm4qT9c4jF0ju+mZMk:Wny/f9utISauqU9cU4u+uZ

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v15

Tasks