asyncrat | 7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab

General

Target

7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
Size

170KB
MD5

7a43bf93d5c1df0289e57152105162c9
SHA1

3abb60159200859e3e22babcf12479766f7b0f78
SHA256

7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab
SHA512

4b8babe45c349cbcdaf7ec40d0a064f5b8f9a74dafc3a1d4583666b3fa857e148a4cdcc4a0851f73fa92b9cee8425a95413cf9833e7eca6bb0ab7ed0f91eb48f

Score

10^/10

asyncrat stormkitty default rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5247464974:AAE4nAxJ7vaD4mfWmY-bGuO23tZg_Mi9B4I/sendMessage?chat_id=736679240

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1484-54-0x0000000000A90000-0x0000000000AC0000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1484-54-0x0000000000A90000-0x0000000000AC0000-memory.dmp	asyncrat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 8 IoCs

Processes:

7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\3df838aefe075dbae5ce6066918015bc\Admin@VFSHTLAO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
File created	C:\Users\Admin\AppData\Local\3df838aefe075dbae5ce6066918015bc\Admin@VFSHTLAO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
File opened for modification	C:\Users\Admin\AppData\Local\3df838aefe075dbae5ce6066918015bc\Admin@VFSHTLAO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
File created	C:\Users\Admin\AppData\Local\3df838aefe075dbae5ce6066918015bc\Admin@VFSHTLAO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
File created	C:\Users\Admin\AppData\Local\3df838aefe075dbae5ce6066918015bc\Admin@VFSHTLAO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
File opened for modification	C:\Users\Admin\AppData\Local\3df838aefe075dbae5ce6066918015bc\Admin@VFSHTLAO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
File opened for modification	C:\Users\Admin\AppData\Local\3df838aefe075dbae5ce6066918015bc\Admin@VFSHTLAO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
File created	C:\Users\Admin\AppData\Local\3df838aefe075dbae5ce6066918015bc\Admin@VFSHTLAO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
3	icanhazip.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe

pid	process
1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe

description pid process

Token: SeDebugPrivilege 1484 7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe

description	pid	process
Token: SeDebugPrivilege	1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.execmd.execmd.exe

description	pid	process	target process
PID 1484 wrote to memory of 1104	1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe	cmd.exe
PID 1484 wrote to memory of 1104	1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe	cmd.exe
PID 1484 wrote to memory of 1104	1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe	cmd.exe
PID 1484 wrote to memory of 1104	1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe	cmd.exe
PID 1104 wrote to memory of 1308	1104	cmd.exe	chcp.com
PID 1104 wrote to memory of 1308	1104	cmd.exe	chcp.com
PID 1104 wrote to memory of 1308	1104	cmd.exe	chcp.com
PID 1104 wrote to memory of 1308	1104	cmd.exe	chcp.com
PID 1104 wrote to memory of 1272	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1272	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1272	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1272	1104	cmd.exe	netsh.exe
PID 1104 wrote to memory of 1816	1104	cmd.exe	findstr.exe
PID 1104 wrote to memory of 1816	1104	cmd.exe	findstr.exe
PID 1104 wrote to memory of 1816	1104	cmd.exe	findstr.exe
PID 1104 wrote to memory of 1816	1104	cmd.exe	findstr.exe
PID 1484 wrote to memory of 1716	1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe	cmd.exe
PID 1484 wrote to memory of 1716	1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe	cmd.exe
PID 1484 wrote to memory of 1716	1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe	cmd.exe
PID 1484 wrote to memory of 1716	1484	7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe	cmd.exe
PID 1716 wrote to memory of 1904	1716	cmd.exe	chcp.com
PID 1716 wrote to memory of 1904	1716	cmd.exe	chcp.com
PID 1716 wrote to memory of 1904	1716	cmd.exe	chcp.com
PID 1716 wrote to memory of 1904	1716	cmd.exe	chcp.com
PID 1716 wrote to memory of 1700	1716	cmd.exe	netsh.exe
PID 1716 wrote to memory of 1700	1716	cmd.exe	netsh.exe
PID 1716 wrote to memory of 1700	1716	cmd.exe	netsh.exe
PID 1716 wrote to memory of 1700	1716	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
"C:\Users\Admin\AppData\Local\Temp\7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe"
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-56-0x0000000000000000-mapping.dmp

Download
memory/1272-58-0x0000000000000000-mapping.dmp

Download
memory/1308-57-0x0000000000000000-mapping.dmp

Download
memory/1484-54-0x0000000000A90000-0x0000000000AC0000-memory.dmp

Filesize
192KB

Download
memory/1484-55-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/1484-61-0x00000000043E5000-0x00000000043F6000-memory.dmp

Filesize
68KB

Download
memory/1700-64-0x0000000000000000-mapping.dmp

Download
memory/1716-62-0x0000000000000000-mapping.dmp

Download
memory/1816-59-0x0000000000000000-mapping.dmp

Download
memory/1904-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads