General
-
Target
Server.exe
-
Size
175KB
-
Sample
241123-epz7gaxqhw
-
MD5
bace9f15b0e425259da0470e7ffe5520
-
SHA1
15462fe47362ead5c1e1e43665dc439e6c218c7f
-
SHA256
f4000e61d9c5929e2eab12382d5624fac3f96d3c27c2e42c5f374cc457ee8b4f
-
SHA512
2e0d2c87de91ecd3b95c7c99b4951cfc4a244de04e0b14f364a447c57c51e4c3e15fa3726a26b96bf408cf4e8bd3ba5980f0f8acb2fa757c93ae73f711d8a832
-
SSDEEP
3072:6e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTgFwARE+WpCc:K6ewwIwQJ6vKX0c5MlYZ0b27
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7510720859:AAHJ07lkxNWZwwJs6SC36WS0jVG9IR6m3pM/sendMessage?chat_id=6059920057
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Server.exe
-
Size
175KB
-
MD5
bace9f15b0e425259da0470e7ffe5520
-
SHA1
15462fe47362ead5c1e1e43665dc439e6c218c7f
-
SHA256
f4000e61d9c5929e2eab12382d5624fac3f96d3c27c2e42c5f374cc457ee8b4f
-
SHA512
2e0d2c87de91ecd3b95c7c99b4951cfc4a244de04e0b14f364a447c57c51e4c3e15fa3726a26b96bf408cf4e8bd3ba5980f0f8acb2fa757c93ae73f711d8a832
-
SSDEEP
3072:6e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTgFwARE+WpCc:K6ewwIwQJ6vKX0c5MlYZ0b27
-
Asyncrat family
-
StormKitty payload
-
Stormkitty family
-
A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024112340755AMSystemWindows10Pro64BitUsernameAdminCompNameOFGADUSELanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.0.240ExternalIP181.215.176.83BSSID5658e1331443DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1