asyncrat | 407f8e8ab8d4141df81d49cbb94e54ec89c80cd76ca0fa23b1bb2aa0ba74b0dc

General

Target

Swift-PaymentInvoice20220331_pdf.exe
Size

520KB
MD5

72a9bcce9a210198f0d6a679b5bca7e4
SHA1

d19326cef0a76c63343fb2a762331639ed6617c2
SHA256

407f8e8ab8d4141df81d49cbb94e54ec89c80cd76ca0fa23b1bb2aa0ba74b0dc
SHA512

ec190a3a1a887f8c4cd4863c671c5da20cc24ce6cb3ed14320a07e8e0318da7833bf882843175ea6cfe29a333839adca6f2bf4c606cba2ba0a7a012bb27824c6

Score

10^/10

asyncrat stormkitty persistence rat spyware stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1996-63-0x0000000000400000-0x000000000044B000-memory.dmp	family_stormkitty
behavioral1/memory/1996-64-0x000000000040188B-mapping.dmp	family_stormkitty
behavioral1/memory/1996-68-0x0000000000400000-0x000000000044B000-memory.dmp	family_stormkitty
behavioral1/memory/1996-69-0x00000000002D0000-0x0000000000300000-memory.dmp	family_stormkitty

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1996-63-0x0000000000400000-0x000000000044B000-memory.dmp	asyncrat
behavioral1/memory/1996-64-0x000000000040188B-mapping.dmp	asyncrat
behavioral1/memory/1996-68-0x0000000000400000-0x000000000044B000-memory.dmp	asyncrat
behavioral1/memory/1996-69-0x00000000002D0000-0x0000000000300000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

mzdtplptw.exemzdtplptw.exe

pid process

1976 mzdtplptw.exe
1996 mzdtplptw.exe
Loads dropped DLL 2 IoCs

Processes:

Swift-PaymentInvoice20220331_pdf.exemzdtplptw.exe

pid process

628 Swift-PaymentInvoice20220331_pdf.exe
1976 mzdtplptw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1976	mzdtplptw.exe
1996	mzdtplptw.exe

pid	process
628	Swift-PaymentInvoice20220331_pdf.exe
1976	mzdtplptw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mzdtplptw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\cicc = "C:\\Users\\Admin\\AppData\\Roaming\\atet\\pbfpgpqobh.exe"	mzdtplptw.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

mzdtplptw.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\644704d6c70ca67ff04aa800a37d4ce5\Admin@DRLQIXCW_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	mzdtplptw.exe
File created	C:\Users\Admin\AppData\Local\644704d6c70ca67ff04aa800a37d4ce5\Admin@DRLQIXCW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	mzdtplptw.exe
File created	C:\Users\Admin\AppData\Local\644704d6c70ca67ff04aa800a37d4ce5\Admin@DRLQIXCW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	mzdtplptw.exe
File opened for modification	C:\Users\Admin\AppData\Local\644704d6c70ca67ff04aa800a37d4ce5\Admin@DRLQIXCW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	mzdtplptw.exe
File created	C:\Users\Admin\AppData\Local\644704d6c70ca67ff04aa800a37d4ce5\Admin@DRLQIXCW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	mzdtplptw.exe
File opened for modification	C:\Users\Admin\AppData\Local\644704d6c70ca67ff04aa800a37d4ce5\Admin@DRLQIXCW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	mzdtplptw.exe
File created	C:\Users\Admin\AppData\Local\644704d6c70ca67ff04aa800a37d4ce5\Admin@DRLQIXCW_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	mzdtplptw.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

mzdtplptw.exe

description pid process target process

PID 1976 set thread context of 1996 1976 mzdtplptw.exe mzdtplptw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	icanhazip.com

description	pid	process	target process
PID 1976 set thread context of 1996	1976	mzdtplptw.exe	mzdtplptw.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mzdtplptw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	mzdtplptw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mzdtplptw.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

mzdtplptw.exe

pid process

1996 mzdtplptw.exe
1996 mzdtplptw.exe
1996 mzdtplptw.exe
1996 mzdtplptw.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mzdtplptw.exe

description pid process

Token: SeDebugPrivilege 1996 mzdtplptw.exe

pid	process
1996	mzdtplptw.exe
1996	mzdtplptw.exe
1996	mzdtplptw.exe
1996	mzdtplptw.exe

description	pid	process
Token: SeDebugPrivilege	1996	mzdtplptw.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

Swift-PaymentInvoice20220331_pdf.exemzdtplptw.exemzdtplptw.execmd.execmd.exe

description	pid	process	target process
PID 628 wrote to memory of 1976	628	Swift-PaymentInvoice20220331_pdf.exe	mzdtplptw.exe
PID 628 wrote to memory of 1976	628	Swift-PaymentInvoice20220331_pdf.exe	mzdtplptw.exe
PID 628 wrote to memory of 1976	628	Swift-PaymentInvoice20220331_pdf.exe	mzdtplptw.exe
PID 628 wrote to memory of 1976	628	Swift-PaymentInvoice20220331_pdf.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1976 wrote to memory of 1996	1976	mzdtplptw.exe	mzdtplptw.exe
PID 1996 wrote to memory of 912	1996	mzdtplptw.exe	cmd.exe
PID 1996 wrote to memory of 912	1996	mzdtplptw.exe	cmd.exe
PID 1996 wrote to memory of 912	1996	mzdtplptw.exe	cmd.exe
PID 1996 wrote to memory of 912	1996	mzdtplptw.exe	cmd.exe
PID 912 wrote to memory of 1960	912	cmd.exe	chcp.com
PID 912 wrote to memory of 1960	912	cmd.exe	chcp.com
PID 912 wrote to memory of 1960	912	cmd.exe	chcp.com
PID 912 wrote to memory of 1960	912	cmd.exe	chcp.com
PID 912 wrote to memory of 1172	912	cmd.exe	netsh.exe
PID 912 wrote to memory of 1172	912	cmd.exe	netsh.exe
PID 912 wrote to memory of 1172	912	cmd.exe	netsh.exe
PID 912 wrote to memory of 1172	912	cmd.exe	netsh.exe
PID 912 wrote to memory of 1452	912	cmd.exe	findstr.exe
PID 912 wrote to memory of 1452	912	cmd.exe	findstr.exe
PID 912 wrote to memory of 1452	912	cmd.exe	findstr.exe
PID 912 wrote to memory of 1452	912	cmd.exe	findstr.exe
PID 1996 wrote to memory of 1520	1996	mzdtplptw.exe	cmd.exe
PID 1996 wrote to memory of 1520	1996	mzdtplptw.exe	cmd.exe
PID 1996 wrote to memory of 1520	1996	mzdtplptw.exe	cmd.exe
PID 1996 wrote to memory of 1520	1996	mzdtplptw.exe	cmd.exe
PID 1520 wrote to memory of 1936	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 1936	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 1936	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 1936	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 1872	1520	cmd.exe	netsh.exe
PID 1520 wrote to memory of 1872	1520	cmd.exe	netsh.exe
PID 1520 wrote to memory of 1872	1520	cmd.exe	netsh.exe
PID 1520 wrote to memory of 1872	1520	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Swift-PaymentInvoice20220331_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift-PaymentInvoice20220331_pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe
  C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe C:\Users\Admin\AppData\Local\Temp\rhthfu
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe
    C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe C:\Users\Admin\AppData\Local\Temp\rhthfu
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:1172
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1936
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e8l6g8amyw8

Filesize
281KB

MD5
cae134bb05999f1c66b0329fdc22ee66

SHA1
499fcb0b38076ff18e273a5dd6d905889444412c

SHA256
50807babb23db7da3d8ef3748d12df6bf9b7e8ee99149f915f75307fa39e82ca

SHA512
47b9e22f4de9281c736227bfbd053f5d608f24143fd20aec6b7596c10713e140200d10c06c81163b5b39fe9d42c8554449fd56b2154b4fefb9d99ce11b62ed1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe

Filesize
4KB

MD5
54559dc8cb88f66631b9669c4974b507

SHA1
24442b3b67f5ae007962321493553d135f4e44d3

SHA256
80a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4

SHA512
adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe

Filesize
4KB

MD5
54559dc8cb88f66631b9669c4974b507

SHA1
24442b3b67f5ae007962321493553d135f4e44d3

SHA256
80a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4

SHA512
adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzdtplptw.exe

Filesize
4KB

MD5
54559dc8cb88f66631b9669c4974b507

SHA1
24442b3b67f5ae007962321493553d135f4e44d3

SHA256
80a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4

SHA512
adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhthfu

Filesize
7KB

MD5
feafb4af38c5b94807071b0601d22ebf

SHA1
0c81ca80b14892ae00e970d7631e1fa403052f9c

SHA256
7c813b26af97aeac39bed9802bb5d41de0aaa255da2bc07ddc98550aeec92067

SHA512
9d70489854b3c5fc3bf8f453f706c26b8a5f47628a7ec58bfd8a8b6f6eb923b7d1dbe00129e60fc82dc4e61ab1c8aafc50143396323a03acb20ce526a3c990b2

Download Submit
\Users\Admin\AppData\Local\Temp\mzdtplptw.exe

Filesize
4KB

MD5
54559dc8cb88f66631b9669c4974b507

SHA1
24442b3b67f5ae007962321493553d135f4e44d3

SHA256
80a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4

SHA512
adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0

Download Submit
\Users\Admin\AppData\Local\Temp\mzdtplptw.exe

Filesize
4KB

MD5
54559dc8cb88f66631b9669c4974b507

SHA1
24442b3b67f5ae007962321493553d135f4e44d3

SHA256
80a142ebbe3093dbc71d3f1eb9a29e680825248d0c26d394e4342dcdadc98cd4

SHA512
adee1025e60cff48eadccfd3903c3b03ea8ca9a769ec07fa3fb805f43f7fdd95f323eaca2c68a2e0df28fc4588e7319448f3f55c65b47e882a76868dc409e3f0

Download Submit
memory/628-54-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/912-70-0x0000000000000000-mapping.dmp

Download
memory/1172-72-0x0000000000000000-mapping.dmp

Download
memory/1452-73-0x0000000000000000-mapping.dmp

Download
memory/1520-75-0x0000000000000000-mapping.dmp

Download
memory/1872-77-0x0000000000000000-mapping.dmp

Download
memory/1936-76-0x0000000000000000-mapping.dmp

Download
memory/1960-71-0x0000000000000000-mapping.dmp

Download
memory/1976-56-0x0000000000000000-mapping.dmp

Download
memory/1996-64-0x000000000040188B-mapping.dmp

Download
memory/1996-68-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1996-69-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/1996-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1996-79-0x0000000004949000-0x000000000495A000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads