General

  • Target

    63dfd2f0813779a3096f254b87cc3c387789607859944dc7e4d3f8f1c0134b5a

  • Size

    175KB

  • Sample

    241017-2hv1ha1bka

  • MD5

    5456e7f2aef5ea5a24c332a045a4edbb

  • SHA1

    29a2af981548f7b7e0a4eca823cf82adcfed3163

  • SHA256

    63dfd2f0813779a3096f254b87cc3c387789607859944dc7e4d3f8f1c0134b5a

  • SHA512

    708687b75b350c7a03476916b0f9de6175e4a768f9d97408c33be71a6fb082b6b0658b805ab83b3721ef2a0278d63c791ab05a6bf5c29309c71d0d1f86f2faa3

  • SSDEEP

    3072:ie8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTjwARE+WpCc:S6ewwIwQJ6vKX0c5MlYZ0b2E

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7592943357:AAEwrO84OcsUuhuM6bQVgP3G2yZhpjDxPus/sendMessage?chat_id=6316851492

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      63dfd2f0813779a3096f254b87cc3c387789607859944dc7e4d3f8f1c0134b5a

    • Size

      175KB

    • MD5

      5456e7f2aef5ea5a24c332a045a4edbb

    • SHA1

      29a2af981548f7b7e0a4eca823cf82adcfed3163

    • SHA256

      63dfd2f0813779a3096f254b87cc3c387789607859944dc7e4d3f8f1c0134b5a

    • SHA512

      708687b75b350c7a03476916b0f9de6175e4a768f9d97408c33be71a6fb082b6b0658b805ab83b3721ef2a0278d63c791ab05a6bf5c29309c71d0d1f86f2faa3

    • SSDEEP

      3072:ie8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTjwARE+WpCc:S6ewwIwQJ6vKX0c5MlYZ0b2E

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v15

Tasks