Overview

overview

10

Static

static

1

po.bat

windows7-x64

6

po.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    po.bat

  • Size

    345KB

  • Sample

    241231-tr6vcs1kgl

  • MD5

    25be610e8e3814d3a218e6ab74513af2

  • SHA1

    e94d8a8adbf9b42ee206ae0cea46b2d24225e9fc

  • SHA256

    b1d4310181ae2f48593c1fe2c68f71e6dd39c5f64254fd21304debb944bd1b11

  • SHA512

    201988cc2a36782c841e258160df4ec8d6ecafb8534d2868edbfd827de10e671b38df849f7c97686201fe0d6fb69d147d42b642f4cb6224705eb2a586b2c0235

  • SSDEEP

    6144:GR5FF+fw1uneHT10sG94hEHdiYOGgmNUgd/RZkOXTGKiTGtiIljFiqzpQJK:05j1unET1zG4E9FgmNUgd/PkOXniTeQw

Score
10/10
asyncratstormkittydefaultdiscoveryexecutionpersistencephishingprivilege_escalationratstealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7783849752:AAGmjKBCU097MimSymLmRKxeBKFEEvQt3kM/sendMessage?chat_id=6795436266
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      po.bat

    • Size

      345KB

    • MD5

      25be610e8e3814d3a218e6ab74513af2

    • SHA1

      e94d8a8adbf9b42ee206ae0cea46b2d24225e9fc

    • SHA256

      b1d4310181ae2f48593c1fe2c68f71e6dd39c5f64254fd21304debb944bd1b11

    • SHA512

      201988cc2a36782c841e258160df4ec8d6ecafb8534d2868edbfd827de10e671b38df849f7c97686201fe0d6fb69d147d42b642f4cb6224705eb2a586b2c0235

    • SSDEEP

      6144:GR5FF+fw1uneHT10sG94hEHdiYOGgmNUgd/RZkOXTGKiTGtiIljFiqzpQJK:05j1unET1zG4E9FgmNUgd/PkOXniTeQw

    Score
    10/10
    executionasyncratstormkittydefaultdiscoverypersistencephishingprivilege_escalationratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024123141846PMSystemWindows10Pro64BitUsernameAdminCompNameYQRLKYONLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.0.109ExternalIP181.215.176.83BSSID8e68fccec388DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks