Overview

overview

10

Static

static

10

WorldWindClient.exe

windows7-x64

10

WorldWindClient.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WorldWindClient.zip

  • Size

    79KB

  • Sample

    250221-q6j3cstkcj

  • MD5

    ecaaafbcfae1134feaff059b51747080

  • SHA1

    d8230e6f742840a7e657f2cf3beaa99082bbed4b

  • SHA256

    210039a7541469a0c16e58bab514a46e7dcbd9477561ddd87c74ca3a2bf9f56c

  • SHA512

    c3d630b80a9b822ca140040c64bcaaa92de706baa61032c655fc0cc747038535e85d69f3fa1699ec5c575c781cbe577f91164fbf135eba4d76f153a1b6a88cf3

  • SSDEEP

    1536:/jX9Uy5liR2gIq1Wldok979DU+qlk5wOF1ZZwXqAnYEAyvRvYHUZ4QKaWjLXKXYX:/95lnfSWlJxDr5wOF3DyvhYH+47/KXYX

Score
10/10
asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5643956199:AAEDZ9-VVWIakGscdtOjNw0Ko3RTPrSgVpc/sendMessage?chat_id=1490686308
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      WorldWindClient.exe

    • Size

      170KB

    • MD5

      c4eced1e43e2c360d928449132c948b9

    • SHA1

      6cd3c79209cae7dcc8cdb7d699474154bd1e7924

    • SHA256

      cf5b955e938443cc0f2832d3e4fc91c8e3b12e8eed06d8da8ef90f3edcaf38e4

    • SHA512

      82b2ce6c2cd628327d64acd4c25402f686ead1fb26974b695fe82af44fb4d89b9f1df84ea205800f2aabb20c405e48fb04ed5a4e824751a98fa4f4707c755608

    • SSDEEP

      3072:++STW8djpN6izj8mZwdJqutB+YDpqIPu/i9bVK2cSJn6+Wp7:j8XN6W8mmHPtppXPSi9b48J

    Score
    10/10
    asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks