General
-
Target
09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669.exe
-
Size
514KB
-
Sample
240702-begqla1blf
-
MD5
395c4070233d059b2f1661fbdc6af0b4
-
SHA1
c4e8741e9c21d4a5d9a45138232da82c751cc390
-
SHA256
09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669
-
SHA512
b3214c512ad6cde7f64ec1d9e8fab416917a248e77268f8516505d8f319168445e184c0182679ed8fdbc967fb6cb94b4e4fc4e2a760bc0f50aa154da81d6b3b9
-
SSDEEP
12288:IOK+cDtCaKVvTkLsDSdWg51DKWpw06aioXy3FMk:xGAZVL1D5W2Hckmk
Static task
static1
Behavioral task
behavioral1
Sample
09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669.exe
-
Size
514KB
-
MD5
395c4070233d059b2f1661fbdc6af0b4
-
SHA1
c4e8741e9c21d4a5d9a45138232da82c751cc390
-
SHA256
09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669
-
SHA512
b3214c512ad6cde7f64ec1d9e8fab416917a248e77268f8516505d8f319168445e184c0182679ed8fdbc967fb6cb94b4e4fc4e2a760bc0f50aa154da81d6b3b9
-
SSDEEP
12288:IOK+cDtCaKVvTkLsDSdWg51DKWpw06aioXy3FMk:xGAZVL1D5W2Hckmk
-
StormKitty payload
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-