Overview

overview

10

Static

static

1

CONTRACT_A...DF.bat

windows7-x64

10

CONTRACT_A...DF.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06022025_1532_CONTRACT_AGREEMENT_PAYMENT_0037836589337_PDF.bat.zip

  • Size

    448B

  • Sample

    250206-syvv1ayngz

  • MD5

    38fb5c76bb23b44fca20d946df317cf1

  • SHA1

    4cc88ee4536c2ad4dbd730350f5007b7506f8599

  • SHA256

    f37ba407b41367f79349f837edbac14fde9f9e5b0f4f7a2e8363186788c8c9fb

  • SHA512

    39cd13f5c1bfa067e4a67eeecabe76d69072a5e8629f9410c3ed0dc0c755db6d14611a6741df922ce632bcad33aaddc48fa98bbf0df29367b7b4325fb2fab709

Score
10/10
asyncratstormkittydefaultdiscoveryexecutionpersistenceprivilege_escalationpyinstallerratspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://igorbende.online/Main/Invoice.exe

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7510448331:AAHCytY6_57dVl2jrU6mtcIyGbcE2spzJjg/sendMessage?chat_id=7068400419
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      CONTRACT_AGREEMENT_PAYMENT_0037836589337_PDF.bat

    • Size

      349B

    • MD5

      512ff935108c90d1338702a7af2d56f7

    • SHA1

      fc9a789bd4811be4dffc04c9475daaad3413e546

    • SHA256

      de11223dc99c7be3dab1e860b3c582a138432cf6d234ba335a1f51bd95894579

    • SHA512

      6f8c350373e660c0546578039ccf20399ac7fe1eb4037e75124ac6dfbf2e555ffabe0550883bb3a83d7c7665d716bfc9ab379acd7baf559e747eba195da7461f

    Score
    10/10
    executionasyncratstormkittydefaultdiscoverypersistenceprivilege_escalationpyinstallerratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks