Extracted

• • Target

    95f4403c67475746690d2dd308a51193d17d424f974cfe8f8eb4ab436c14bde3

  • Size

    192KB

  • MD5

    b5df32f1b9e18ed212c0a4ee337936cf

  • SHA1

    bc8a6c9773d41252ecce5d7302b41a66a6585f45

  • SHA256

    95f4403c67475746690d2dd308a51193d17d424f974cfe8f8eb4ab436c14bde3

  • SHA512

    cdf102f6d2ac3bd9c6d0e8582a1f208622132fea984c5359e01a0ced939946bbd76f183d828f9cfec4a364334148a5ec68843ebe6390ebb632da5f0425cb69f9

  • SSDEEP

    3072:a1BDU4yRhDeFidbfRbTFlSC5oNMa/6yEtyQTefQ+vw/IqlLxXL+LRIHNM9LPsZ:aD/CeUNdFlScoN/xEtyBelLg9IHW9LP

  Score

  10^/10

  asyncratstormkittydefaultdiscoveryexecutionpersistenceprivilege_escalationratspywarestealer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Async RAT payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  behavioral1behavioral2