Analysis
-
max time kernel
231s -
max time network
318s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:57
Behavioral task
behavioral1
Sample
Servjjjer.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Servjjjer.exe
Resource
win10v2004-20230220-en
General
-
Target
Servjjjer.exe
-
Size
175KB
-
MD5
5b3cfe226cbf4629f1bf59d9a8b644cb
-
SHA1
709f112da624e832c9e257ffe68f7ad2cc08bb6f
-
SHA256
6894c104c50fea8b20c9d459919854463fa2aad13165bb0650deb946fb3b7de7
-
SHA512
485962e678cc88aecbf1f9028d55885f6290bf6ff33555b231938a1ae323ec06311963988fbae15466dc39249e3fadfe7e108e0d24ef54bc3fd858572d1384e9
-
SSDEEP
3072:Qe8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gTLcwAqE+Wpor:pXtb5KcXr7XmfgqtjhAxZ0b2ko
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5890094946:AAEYglD59tTB66C18AiuzpbBGVoAYux1-gc/sendMessage?chat_id=5969887379
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
resource yara_rule behavioral1/memory/576-54-0x0000000000AA0000-0x0000000000AD2000-memory.dmp family_stormkitty behavioral1/memory/576-55-0x0000000001F00000-0x0000000001F40000-memory.dmp family_stormkitty behavioral1/memory/576-56-0x0000000001F00000-0x0000000001F40000-memory.dmp family_stormkitty -
Async RAT payload 3 IoCs
resource yara_rule behavioral1/memory/576-54-0x0000000000AA0000-0x0000000000AD2000-memory.dmp asyncrat behavioral1/memory/576-55-0x0000000001F00000-0x0000000001F40000-memory.dmp asyncrat behavioral1/memory/576-56-0x0000000001F00000-0x0000000001F40000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\c31e7f5f39eac2975cd704cf25373f8a\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Servjjjer.exe File created C:\Users\Admin\AppData\Local\c31e7f5f39eac2975cd704cf25373f8a\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Servjjjer.exe File opened for modification C:\Users\Admin\AppData\Local\c31e7f5f39eac2975cd704cf25373f8a\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Servjjjer.exe File created C:\Users\Admin\AppData\Local\c31e7f5f39eac2975cd704cf25373f8a\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Servjjjer.exe File created C:\Users\Admin\AppData\Local\c31e7f5f39eac2975cd704cf25373f8a\Admin@THEQWNRW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Servjjjer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Servjjjer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Servjjjer.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 576 Servjjjer.exe 576 Servjjjer.exe 576 Servjjjer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 576 Servjjjer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 576 wrote to memory of 1708 576 Servjjjer.exe 29 PID 576 wrote to memory of 1708 576 Servjjjer.exe 29 PID 576 wrote to memory of 1708 576 Servjjjer.exe 29 PID 576 wrote to memory of 1708 576 Servjjjer.exe 29 PID 1708 wrote to memory of 604 1708 cmd.exe 31 PID 1708 wrote to memory of 604 1708 cmd.exe 31 PID 1708 wrote to memory of 604 1708 cmd.exe 31 PID 1708 wrote to memory of 604 1708 cmd.exe 31 PID 1708 wrote to memory of 932 1708 cmd.exe 32 PID 1708 wrote to memory of 932 1708 cmd.exe 32 PID 1708 wrote to memory of 932 1708 cmd.exe 32 PID 1708 wrote to memory of 932 1708 cmd.exe 32 PID 1708 wrote to memory of 1568 1708 cmd.exe 33 PID 1708 wrote to memory of 1568 1708 cmd.exe 33 PID 1708 wrote to memory of 1568 1708 cmd.exe 33 PID 1708 wrote to memory of 1568 1708 cmd.exe 33 PID 576 wrote to memory of 1808 576 Servjjjer.exe 34 PID 576 wrote to memory of 1808 576 Servjjjer.exe 34 PID 576 wrote to memory of 1808 576 Servjjjer.exe 34 PID 576 wrote to memory of 1808 576 Servjjjer.exe 34 PID 1808 wrote to memory of 392 1808 cmd.exe 36 PID 1808 wrote to memory of 392 1808 cmd.exe 36 PID 1808 wrote to memory of 392 1808 cmd.exe 36 PID 1808 wrote to memory of 392 1808 cmd.exe 36 PID 1808 wrote to memory of 1624 1808 cmd.exe 37 PID 1808 wrote to memory of 1624 1808 cmd.exe 37 PID 1808 wrote to memory of 1624 1808 cmd.exe 37 PID 1808 wrote to memory of 1624 1808 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe"C:\Users\Admin\AppData\Local\Temp\Servjjjer.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:604
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:932
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:392
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:1624
-
-