Overview

overview

10

Static

static

1

python-3.1...64.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    python-3.10.2-amd64.exe

  • Size

    26.9MB

  • Sample

    240707-tq96dsveqp

  • MD5

    2b4fd1ed6e736f0e65572da64c17e020

  • SHA1

    61cc3b53fe61260e1651320e67c7d64b5088ad31

  • SHA256

    42b181e9b5f424472212742a187260d4edc73b7683ae83460c974508130e08ad

  • SHA512

    670e830197cdf38d933b1b8d9a33c241c829947227e7b1357f7a5713c51cdd4b95012b4fbbfe1ca8db1fbef0d86db3a469dad0e73b56ffaf99674336f478446c

  • SSDEEP

    786432:IooshtMGBns3zIjuid7tTgjh7W3WktiMakFa:HoIMGBnsDIy0tTd37iB

Score
10/10
asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratstealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5602729079:AAHue5HGrezQGgwKeWyn3WQgaqOZM5nlF_c/sendMessage?chat_id=6067717150
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      python-3.10.2-amd64.exe

    • Size

      26.9MB

    • MD5

      2b4fd1ed6e736f0e65572da64c17e020

    • SHA1

      61cc3b53fe61260e1651320e67c7d64b5088ad31

    • SHA256

      42b181e9b5f424472212742a187260d4edc73b7683ae83460c974508130e08ad

    • SHA512

      670e830197cdf38d933b1b8d9a33c241c829947227e7b1357f7a5713c51cdd4b95012b4fbbfe1ca8db1fbef0d86db3a469dad0e73b56ffaf99674336f478446c

    • SSDEEP

      786432:IooshtMGBns3zIjuid7tTgjh7W3WktiMakFa:HoIMGBnsDIy0tTd37iB

    Score
    10/10
    asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratstealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks