Overview
overview
10Static
static
3Rebel/Bin/...or.exe
windows7-x64
5Rebel/Bin/...or.exe
windows10-2004-x64
5Rebel/Bin/Rebel.dll
windows7-x64
1Rebel/Bin/Rebel.dll
windows10-2004-x64
1Rebel/Fast...ox.dll
windows7-x64
1Rebel/Fast...ox.dll
windows10-2004-x64
1Rebel/Rebe...ed.exe
windows7-x64
10Rebel/Rebe...ed.exe
windows10-2004-x64
10Rebel/Syst...om.dll
windows7-x64
1Rebel/Syst...om.dll
windows10-2004-x64
1General
-
Target
Rebel.7z
-
Size
8.1MB
-
Sample
241201-thcvxszncn
-
MD5
4a8429dd823216bda95f67f85483a8d9
-
SHA1
77640784d85848c945820d37794839f346f138d2
-
SHA256
cef9230ad3111e4a233e61b49ac977d4d25849061a90b05c3e7d6f308022b4de
-
SHA512
1d4d41cee280c62657b17c2ddc11fc7ce6bab42204d94fe05eed263d139765c19dfd16f2fde4b4e5e8b925c39945c3208600a2bfad941e4723d3bfeb7c30b91a
-
SSDEEP
196608:15bVwZ4n4D4PLSFpJah2Hc4sEYcGijKseRAKvpZheSaE:155EAWpSt/DcFjqRAKvnhpd
Static task
static1
Behavioral task
behavioral1
Sample
Rebel/Bin/Injector.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Rebel/Bin/Injector.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Rebel/Bin/Rebel.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Rebel/Bin/Rebel.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Rebel/FastColoredTextBox.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Rebel/FastColoredTextBox.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Rebel/RebelCracked.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
Rebel/RebelCracked.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Rebel/System.CodeDom.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Rebel/System.CodeDom.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Rebel/Bin/Injector.exe
-
Size
4.8MB
-
MD5
8da7ffaee1e5988d56e536d37a5e5d7d
-
SHA1
ed799e5ec866ec3dff0bffb306de4b1ab2ca2361
-
SHA256
7450c90fad1d9ed73652c7fee391adb41ee2c62d5d43f3bdcab945e3fdec5485
-
SHA512
34579bfbee7ec802322b12cc91276dc440d2df63d8e02b55ec303a19b4a198810a97157cf82739d0c30a509928d797142cee133aec994f0c8f5c58c5a6aebd16
-
SSDEEP
98304:2sscM3M0egRUUYdiVF0Zx5NMEuRdvwp1cpY1t83Szkkak0jIiGELfHNz:Vrf0egyUKiVF0rF+dmcQtQSzkkakuR7V
Score5/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Rebel/Bin/Rebel.dll
-
Size
8.6MB
-
MD5
660d2429fc5f088bd197fb0958303936
-
SHA1
4189d1ba115f9e00caceb286f22655c6988e1eb6
-
SHA256
c9b95b9204234edfab46912d21953e3a6985a6b7d50c4fd63372e3d5361c7f3d
-
SHA512
9875fff045460f77dfc21cecd1de326d67778efd12fe8f53fc09bacfec807a9309752ed4bbb23653060fbee9152dd7c9a9bfda3a0c13c0375a1db932a02a197d
-
SSDEEP
98304:kz+S5QwKbQLCsjIpdUqsQf3/sfRMyxl5dn5Sz29f49EzFgfVp+t:WrS2LXjIpyDS3/0aWfmC
Score1/10 -
-
-
Target
Rebel/FastColoredTextBox.dll
-
Size
323KB
-
MD5
8610f4d3cdc6cc50022feddced9fdaeb
-
SHA1
4b60b87fd696b02d7fce38325c7adfc9e806f650
-
SHA256
ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9
-
SHA512
693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09
-
SSDEEP
6144:0R0J4lx4/7BA4xvNdcwCOg04j0y5mwZkdmsqmLDi5eNH+Dl1SIP0:0R0J48lAovNd7CO34D4b4eNO
Score1/10 -
-
-
Target
Rebel/RebelCracked.exe
-
Size
344KB
-
MD5
a84fd0fc75b9c761e9b7923a08da41c7
-
SHA1
2597048612041cd7a8c95002c73e9c2818bb2097
-
SHA256
9d9a79f4ae9bf7a992945f6c06c5bec642c05e4e828217c50255dabfa3677006
-
SHA512
a17f1144a0e3ce07c7ed6891987c5b969f291e9991442c33750028d35e2194794e8a649c397e8afc9f8ce19d485c453600c75cab4fcead09e38414d85819251a
-
SSDEEP
6144:lOcpeK8lucxAtLNFHUVuI/2zj1z6jZ755NofmWx4PCQL23wBw7R0ljTwrVuAdJKp:QcpSnx0LNFDQ60Ntbo5d7gBw7R7rbdJk
-
Asyncrat family
-
StormKitty payload
-
Stormkitty family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
Rebel/System.CodeDom.dll
-
Size
30KB
-
MD5
59c830ac0d99f8c906292de85f804b84
-
SHA1
68b6740e6ce97de8b1398f3a6e320940a0e16458
-
SHA256
e8c88b0448083663910587efeacb6a1977749fe3ffe83b263fc01f7b63d7dfd2
-
SHA512
4028fa6b68eb3a48bb9625e6755c8e3022283694bb603905af3db54c31bc2f7291aec11f7c42a033703f84c3ff265a19416eb8798058cc42ee3c14c633e9588f
-
SSDEEP
384:FuE8ujCiLMTPji3h8241EEqYC0iIcwBxehzsCtZ7U6r1fDMqyt5/WduWTTb2HRNq:FDBCi4TWaveEqYChzZpgRoj/iP9zgBV
Score1/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1