Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
05-04-2022 00:39
General
-
Target
7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe
-
Size
170KB
-
MD5
7a43bf93d5c1df0289e57152105162c9
-
SHA1
3abb60159200859e3e22babcf12479766f7b0f78
-
SHA256
7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab
-
SHA512
4b8babe45c349cbcdaf7ec40d0a064f5b8f9a74dafc3a1d4583666b3fa857e148a4cdcc4a0851f73fa92b9cee8425a95413cf9833e7eca6bb0ab7ed0f91eb48f
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5247464974:AAE4nAxJ7vaD4mfWmY-bGuO23tZg_Mi9B4I/sendMessage?chat_id=736679240
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 1 IoCs
-
suricata: ET MALWARE StormKitty Data Exfil via Telegram
suricata: ET MALWARE StormKitty Data Exfil via Telegram
-
Async RAT payload 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe"C:\Users\Admin\AppData\Local\Temp\7335f630871bdc94e06188a1f0fd432e62fda760498ba0cfbccfd3b2ec2626ab.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1184-134-0x0000000000000000-mapping.dmp
-
memory/1652-135-0x0000000000000000-mapping.dmp
-
memory/1932-129-0x0000000000000000-mapping.dmp
-
memory/2652-125-0x0000000005840000-0x00000000058A6000-memory.dmpFilesize
408KB
-
memory/2652-126-0x00000000063D0000-0x0000000006462000-memory.dmpFilesize
584KB
-
memory/2652-127-0x0000000005633000-0x0000000005635000-memory.dmpFilesize
8KB
-
memory/2652-128-0x0000000006A20000-0x0000000006FC4000-memory.dmpFilesize
5.6MB
-
memory/2652-124-0x0000000000AF0000-0x0000000000B20000-memory.dmpFilesize
192KB
-
memory/2652-137-0x0000000006690000-0x00000000066A2000-memory.dmpFilesize
72KB
-
memory/2652-136-0x00000000064F0000-0x00000000064FA000-memory.dmpFilesize
40KB
-
memory/3464-132-0x0000000000000000-mapping.dmp
-
memory/3828-130-0x0000000000000000-mapping.dmp
-
memory/4328-133-0x0000000000000000-mapping.dmp
-
memory/4536-131-0x0000000000000000-mapping.dmp