General

  • Target

    Infected.exe

  • Size

    63KB

  • Sample

    241020-1qvh9sscja

  • MD5

    e986330d6cfb70291985b064bcef56be

  • SHA1

    1daa9abaf721a997df355d091faadea3642bb671

  • SHA256

    efc1995469709c3c47b68816853480833240b5d455b975cd5dc1e13545ab3ea2

  • SHA512

    889556c410f3d8cdc9412e777d36f1feecc857fcfac4a5d7fee9eda2de3507e7cfeb4393d7e1ff70bb040b74b8eeb11fb07ffafd915ce0e6a711b986c98272a1

  • SSDEEP

    768:/LqvXPRKF4j7C78BIC8A+X+mazcBRL5JTk1+T4KSBGHmDbD/ph0oXfyq+SuodpqM:U/RKy7QxdSJYUbdh9qqJuodpqKmY7

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

options-printing.gl.at.ply.gg:29154

Attributes
  • delay

    1

  • install

    true

  • install_file

    ppasshole.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Infected.exe

    • Size

      63KB

    • MD5

      e986330d6cfb70291985b064bcef56be

    • SHA1

      1daa9abaf721a997df355d091faadea3642bb671

    • SHA256

      efc1995469709c3c47b68816853480833240b5d455b975cd5dc1e13545ab3ea2

    • SHA512

      889556c410f3d8cdc9412e777d36f1feecc857fcfac4a5d7fee9eda2de3507e7cfeb4393d7e1ff70bb040b74b8eeb11fb07ffafd915ce0e6a711b986c98272a1

    • SSDEEP

      768:/LqvXPRKF4j7C78BIC8A+X+mazcBRL5JTk1+T4KSBGHmDbD/ph0oXfyq+SuodpqM:U/RKy7QxdSJYUbdh9qqJuodpqKmY7

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Modifies Windows Defender Real-time Protection settings

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

MITRE ATT&CK Enterprise v15

Tasks