Extracted

• • Target

    Comcast.exe

  • Size

    559KB

  • MD5

    0f0e8dc6228e0872cce9bd634d7f3060

  • SHA1

    08216ff5c764989aa524d267fe57dd219d9a74e0

  • SHA256

    5319207eda6eec62c0d70cee548a2d0eab10ebb3f8e6bb8f721f8f83ec3f9ad4

  • SHA512

    c5eae41ab6af2a4be24aea9a9045852f06cfc07adfc76a2b7eeee530deb0d45eb2e81e886443575fb0a1d389c571642103c47a3c483fec73aedcdc45c7d75180

  • SSDEEP

    6144:k9wxDubaBBOBIIj6HLLYLCYJqvc1D6W5gDp/bzaXVHebdBwcDubaBBOBIIj6HLLo:kba/WKuVHAdB2ba4mky+o64k

  Score

  10^/10

  asyncratneshtastormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Detect Neshta payload

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Neshta family

    neshta

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Async RAT payload

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  behavioral1behavioral2