General

  • Target

    NLBruteACTIVATEOR.exe

  • Size

    226KB

  • Sample

    241019-qemzyaxepf

  • MD5

    dbd8368aacabeb2f3007f2e41651e43e

  • SHA1

    fc83221eca35d6fe5e71d12caa63d6b19fc702b5

  • SHA256

    06da872afe3d9c80535c2fccdbe7054d299de1285cdf3666fa1a69a1a288c287

  • SHA512

    4580870152c081843e0d6de2d6ad6a7b4b6fda017b09722720bb87c3ca790765cf355a6abf20810217085d8dc00a6fc2fe517d069214f64387ad59880a632f32

  • SSDEEP

    3072:Z+STW8djpN6izj8mZw/Zf7/dFoUbBjXpW+WQwARPzjjyCYNMUL6+Wp0:m8XN6W8mm/VgUbfNBdnGd

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5787513945:AAHk4B_J3fjaWnYKNH9snbwB6zLOSTidL0E/sendMessage?chat_id=5611920321

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      NLBruteACTIVATEOR.exe

    • Size

      226KB

    • MD5

      dbd8368aacabeb2f3007f2e41651e43e

    • SHA1

      fc83221eca35d6fe5e71d12caa63d6b19fc702b5

    • SHA256

      06da872afe3d9c80535c2fccdbe7054d299de1285cdf3666fa1a69a1a288c287

    • SHA512

      4580870152c081843e0d6de2d6ad6a7b4b6fda017b09722720bb87c3ca790765cf355a6abf20810217085d8dc00a6fc2fe517d069214f64387ad59880a632f32

    • SSDEEP

      3072:Z+STW8djpN6izj8mZw/Zf7/dFoUbBjXpW+WQwARPzjjyCYNMUL6+Wp0:m8XN6W8mm/VgUbfNBdnGd

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v15

Tasks