Analysis
-
max time kernel
143s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/05/2023, 20:10
Behavioral task
behavioral1
Sample
Servjjjer.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Servjjjer.exe
Resource
win10v2004-20230220-en
General
-
Target
Servjjjer.exe
-
Size
175KB
-
MD5
5b3cfe226cbf4629f1bf59d9a8b644cb
-
SHA1
709f112da624e832c9e257ffe68f7ad2cc08bb6f
-
SHA256
6894c104c50fea8b20c9d459919854463fa2aad13165bb0650deb946fb3b7de7
-
SHA512
485962e678cc88aecbf1f9028d55885f6290bf6ff33555b231938a1ae323ec06311963988fbae15466dc39249e3fadfe7e108e0d24ef54bc3fd858572d1384e9
-
SSDEEP
3072:Qe8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gTLcwAqE+Wpor:pXtb5KcXr7XmfgqtjhAxZ0b2ko
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5890094946:AAEYglD59tTB66C18AiuzpbBGVoAYux1-gc/sendMessage?chat_id=5969887379
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/2032-54-0x0000000000ED0000-0x0000000000F02000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2032-54-0x0000000000ED0000-0x0000000000F02000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Servjjjer.exe File opened for modification C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Servjjjer.exe File created C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Servjjjer.exe File opened for modification C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Servjjjer.exe File created C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Servjjjer.exe File created C:\Users\Admin\AppData\Local\78ad5e36d06a786398764e72f1ea0df6\Admin@WFSTZEPN_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Servjjjer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Servjjjer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Servjjjer.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2032 Servjjjer.exe 2032 Servjjjer.exe 2032 Servjjjer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2032 Servjjjer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1216 2032 Servjjjer.exe 29 PID 2032 wrote to memory of 1216 2032 Servjjjer.exe 29 PID 2032 wrote to memory of 1216 2032 Servjjjer.exe 29 PID 2032 wrote to memory of 1216 2032 Servjjjer.exe 29 PID 1216 wrote to memory of 976 1216 cmd.exe 31 PID 1216 wrote to memory of 976 1216 cmd.exe 31 PID 1216 wrote to memory of 976 1216 cmd.exe 31 PID 1216 wrote to memory of 976 1216 cmd.exe 31 PID 1216 wrote to memory of 1688 1216 cmd.exe 33 PID 1216 wrote to memory of 1688 1216 cmd.exe 33 PID 1216 wrote to memory of 1688 1216 cmd.exe 33 PID 1216 wrote to memory of 1688 1216 cmd.exe 33 PID 1216 wrote to memory of 1552 1216 cmd.exe 32 PID 1216 wrote to memory of 1552 1216 cmd.exe 32 PID 1216 wrote to memory of 1552 1216 cmd.exe 32 PID 1216 wrote to memory of 1552 1216 cmd.exe 32 PID 2032 wrote to memory of 1360 2032 Servjjjer.exe 34 PID 2032 wrote to memory of 1360 2032 Servjjjer.exe 34 PID 2032 wrote to memory of 1360 2032 Servjjjer.exe 34 PID 2032 wrote to memory of 1360 2032 Servjjjer.exe 34 PID 1360 wrote to memory of 1388 1360 cmd.exe 36 PID 1360 wrote to memory of 1388 1360 cmd.exe 36 PID 1360 wrote to memory of 1388 1360 cmd.exe 36 PID 1360 wrote to memory of 1388 1360 cmd.exe 36 PID 1360 wrote to memory of 1756 1360 cmd.exe 37 PID 1360 wrote to memory of 1756 1360 cmd.exe 37 PID 1360 wrote to memory of 1756 1360 cmd.exe 37 PID 1360 wrote to memory of 1756 1360 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe"C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:976
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:1552
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1388
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:1756
-
-