Overview

overview

10

Static

static

10

a0.exe

windows7-x64

10

a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0.exe

  • Size

    170KB

  • MD5

    a0ce182a26b24adf936411f4ea796ab7

  • SHA1

    a764ea86541665181d7080fe2a2c534a6acc6c5b

  • SHA256

    85ca4cd1bdc0b219e0513bca055913d18debf0e6ef752a5814cb9b87af2bd646

  • SHA512

    de9db377614cfead6043022d2413d47821cd38dd5e751a6e91d3e37db4965217c92607495e15dcee834afec4fd22490635cd0377ec6f510126bf65dd4824b69b

  • SSDEEP

    3072:T+STW8djpN6izj8mZw24FBPBrL2eFcyZlVqIPu/i9bDq2cKk6+Wpn:w8XN6W8mm2anrL2eFcyvVXPSi9b+

Score
10/10
asyncratstormkittydefaultratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5081755732:AAFIzASZTZ42XUhPubF2E6ugH8B5BoBq2GY/sendMessage?chat_id=1184265544
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 9 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0.exe
    "C:\Users\Admin\AppData\Local\Temp\a0.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:3424
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:4224
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:4216
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3476
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:4028
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:4464

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\5c1b4d6bab16ab04fc923bd6105addbc\Admin@ROBKQPFG_en-US\System\Process.txt
              Filesize

              4KB

              MD5

              5227152178d38972478d94d20dc00a6c

              SHA1

              55bf99c838f2d4008e37e6276a1b14d860cf6daf

              SHA256

              beb68c766870eedeabda216fee5bd4c593e1832f8c2b99f0bbc192fb5836dd5d

              SHA512

              50b91c86170fcf037408b435ddb26361cd7014581709a9cebb8389c02233114f9c98962b9641af438916b179653cf87ec84a9de81af5a7670393527af21e80d6

              Download Submit
            • C:\Users\Admin\AppData\Local\c68c3832e6261ad2ce43d41b243d6c46\msgid.dat
              Filesize

              3B

              MD5

              0a113ef6b61820daa5611c870ed8d5ee

              SHA1

              eaa67f3a93d0acb08d8a5e8ff9866f51983b3c3b

              SHA256

              5e968ce47ce4a17e3823c29332a39d049a8d0afb08d157eb6224625f92671a51

              SHA512

              bb602aa6ebb8decd4a7293b1c428cf4889df083d0984378ceefc600a371ac96de20ed1fbc8adf3baa8e63a28d20b750b1dd2512c51cf78490b602b5bc50e47c1

              Download Submit
            • memory/4608-133-0x00000000006E0000-0x0000000000710000-memory.dmp
              Filesize

              192KB

              Download
            • memory/4608-134-0x00000000051A0000-0x00000000051B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4608-135-0x00000000053B0000-0x0000000005416000-memory.dmp
              Filesize

              408KB

              Download
            • memory/4608-221-0x00000000051A0000-0x00000000051B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4608-279-0x0000000005FD0000-0x0000000006062000-memory.dmp
              Filesize

              584KB

              Download
            • memory/4608-280-0x0000000006620000-0x0000000006BC4000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/4608-282-0x00000000051A0000-0x00000000051B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4608-285-0x00000000060F0000-0x00000000060FA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/4608-291-0x0000000006110000-0x0000000006122000-memory.dmp
              Filesize

              72KB

              Download
            • memory/4608-315-0x00000000051A0000-0x00000000051B0000-memory.dmp
              Filesize

              64KB

              Download