Overview

overview

10

Static

static

10

b2134a23d5...cN.exe

windows7-x64

10

b2134a23d5...cN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b2134a23d541a433c13f8b610c6fe0f79e4977f2a3cf4fdd32c2073771f212bcN.exe

  • Size

    175KB

  • Sample

    241126-as3pjstrgy

  • MD5

    5a2a4482663e7e3de7b68e8a0ee24a80

  • SHA1

    85ce16c42d7aa4aa2bf031c055d31903c524cd53

  • SHA256

    b2134a23d541a433c13f8b610c6fe0f79e4977f2a3cf4fdd32c2073771f212bc

  • SHA512

    de3d9cb013504d1dec053a3cd7492e33798c96c4b482f917d57c792155cf7da1788f49e25afd7606d4e5d9abc1866864e0072b08a9e00adafbb3ad9f3f4ad11d

  • SSDEEP

    3072:Ne8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTIwARE+WpCc:R6ewwIwQJ6vKX0c5MlYZ0b2J

Score
10/10
asyncratstormkittydefaultdiscoverypersistencephishingprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      b2134a23d541a433c13f8b610c6fe0f79e4977f2a3cf4fdd32c2073771f212bcN.exe

    • Size

      175KB

    • MD5

      5a2a4482663e7e3de7b68e8a0ee24a80

    • SHA1

      85ce16c42d7aa4aa2bf031c055d31903c524cd53

    • SHA256

      b2134a23d541a433c13f8b610c6fe0f79e4977f2a3cf4fdd32c2073771f212bc

    • SHA512

      de3d9cb013504d1dec053a3cd7492e33798c96c4b482f917d57c792155cf7da1788f49e25afd7606d4e5d9abc1866864e0072b08a9e00adafbb3ad9f3f4ad11d

    • SSDEEP

      3072:Ne8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTIwARE+WpCc:R6ewwIwQJ6vKX0c5MlYZ0b2J

    Score
    10/10
    asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealerphishing

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • A potential corporate email address has been identified in the URL: WorldWindProResultsDate20241126122928AMSystemWindows10Pro64BitUsernameAdminCompNameUTKBEBLOLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.1.105ExternalIP181.215.176.83BSSID366cad25ded8DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter

      phishing

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks