General
-
Target
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
-
Size
7.8MB
-
Sample
240702-nffadatenr
-
MD5
6474262f1aa80327912862eb9f816fa9
-
SHA1
b2fdabb371ea4a23adae02e3aa939b13c948c03b
-
SHA256
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
-
SHA512
fbb8e81c8d87661899ee8b105a6065affcf7c2b53c6a9d5700b2030e1a63886aefb7d4875ebc837d91757d972767918037d50a7b5661257dd55ac9fdad388427
-
SSDEEP
98304:XTCadF2VfHNZO2ZoXYS185r8YRYUbMO1RnUEJXzPtPki6g7oayYHkqibu/0eBKR3:jc0MhC85r3uO1Z3JXLtPki63Kns/CY
Behavioral task
behavioral1
Sample
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
-
Size
7.8MB
-
MD5
6474262f1aa80327912862eb9f816fa9
-
SHA1
b2fdabb371ea4a23adae02e3aa939b13c948c03b
-
SHA256
d321f75b27ffdadbe36f7f1a94727487e955a74ec629fdd054dec54e4b6fc87b
-
SHA512
fbb8e81c8d87661899ee8b105a6065affcf7c2b53c6a9d5700b2030e1a63886aefb7d4875ebc837d91757d972767918037d50a7b5661257dd55ac9fdad388427
-
SSDEEP
98304:XTCadF2VfHNZO2ZoXYS185r8YRYUbMO1RnUEJXzPtPki6g7oayYHkqibu/0eBKR3:jc0MhC85r3uO1Z3JXLtPki63Kns/CY
-
StormKitty payload
-
Async RAT payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1