Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2023 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    170KB

  • MD5

    d59d7514d7df3d20f969fa6b5517eb01

  • SHA1

    bdc5bee56769d229403a4c116875e65db2fd3e8c

  • SHA256

    d2274cca6f30f46595535f1b67f2f4e493eb97ec1a11258bd73ed6bd702d025d

  • SHA512

    a5f21cb4f51f99f67de4b8bf82add5a9aa123f025837a0a07cf587b3f8f5e1a6a5c9a7e04c863ef77a3c22c350c61b97ec87e3e15e22aca78ce1cfb447f636d9

  • SSDEEP

    3072:++STW8djpN6izj8mZwdJqutB+YDpqIPu/i9bVK2cPVI6+Wp7:j8XN6W8mmHPtppXPSi9b4

Score
10/10
asyncratstormkittydefaultratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5360303860:AAH_YAk63cASK9FV95ft07Rf6tjatzAINIE/sendMessage?chat_id=5676635446
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:2680
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:4020
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:5080
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4256
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:2468
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:4196

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1984-132-0x0000000000CE0000-0x0000000000D10000-memory.dmp
              Filesize

              192KB

              Download
            • memory/1984-133-0x0000000005790000-0x00000000057F6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/1984-134-0x00000000065C0000-0x0000000006652000-memory.dmp
              Filesize

              584KB

              Download
            • memory/1984-135-0x0000000006C10000-0x00000000071B4000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/1984-144-0x0000000005BA0000-0x0000000005BB2000-memory.dmp
              Filesize

              72KB

              Download
            • memory/1984-143-0x00000000066F0000-0x00000000066FA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/2024-136-0x0000000000000000-mapping.dmp
              Download
            • memory/2468-141-0x0000000000000000-mapping.dmp
              Download
            • memory/2680-137-0x0000000000000000-mapping.dmp
              Download
            • memory/4020-138-0x0000000000000000-mapping.dmp
              Download
            • memory/4196-142-0x0000000000000000-mapping.dmp
              Download
            • memory/4256-140-0x0000000000000000-mapping.dmp
              Download
            • memory/5080-139-0x0000000000000000-mapping.dmp
              Download