asyncrat | 0373eb783358fbf3b810fe1156efffd5847913c62db0e6c690e802300a5640ab

General

Target

1006.exe
Size

225KB
MD5

883784a3500e2389e6e1816696dba87b
SHA1

f4364ff100c016d5cf78a3a4e3bedb287555f2ce
SHA256

0373eb783358fbf3b810fe1156efffd5847913c62db0e6c690e802300a5640ab
SHA512

f5d4d508dfeee159d339b9833d8128a6486b866639cd5dcba381b873188c3a6e643961477e723e38d100c3a5b47b0c83499e18504b1a6e5f5e68a73bf01e73f3
SSDEEP

3072:/+STW8djpN6izj8mZwgWDZ5IRN9MBQVahUbBEgDzazaLEV55NlmwXcFOC+UX6+WO:08XN6W8mmgqQMhUbOKEV55NlXkOI

Score

10^/10

asyncrat stormkitty default rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6154715708:AAHDKp_4g6Ye1lnxUlsJvFSuNl2Zm6A__-E/sendMessage?chat_id=1165040754

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/5084-133-0x0000000000700000-0x000000000073E000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/5084-133-0x0000000000700000-0x000000000073E000-memory.dmp	asyncrat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	1006.exe
File created	C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	1006.exe
File opened for modification	C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	1006.exe
File created	C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	1006.exe
File opened for modification	C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	1006.exe
File created	C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	1006.exe
File created	C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	1006.exe
File created	C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	1006.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A7724123-7EA1-4D60-923F-41F8263619C3}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{823FD992-9FC0-4ECC-A1A1-2A0C4AE0FA2C}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{175010C8-32B9-4CF1-B036-8C71E521AE22}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{32E2D72C-4DA1-4C53-B76E-F45AE347F754}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C08AC3CB-7E99-4854-9744-B74F46B7A058}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{521450CF-304F-48D2-86EF-E9B8DD47D6BF}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9985FA88-FEA7-40F0-AE57-C2470EA71EE1}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B571A12D-FF7B-4E6B-91A6-38CC09F21B9F}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1006.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1006.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe
5084	1006.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	1006.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1192	5084	1006.exe	84
PID 5084 wrote to memory of 1192	5084	1006.exe	84
PID 5084 wrote to memory of 1192	5084	1006.exe	84
PID 1192 wrote to memory of 3624	1192	cmd.exe	87
PID 1192 wrote to memory of 3624	1192	cmd.exe	87
PID 1192 wrote to memory of 3624	1192	cmd.exe	87
PID 1192 wrote to memory of 3224	1192	cmd.exe	88
PID 1192 wrote to memory of 3224	1192	cmd.exe	88
PID 1192 wrote to memory of 3224	1192	cmd.exe	88
PID 1192 wrote to memory of 2040	1192	cmd.exe	89
PID 1192 wrote to memory of 2040	1192	cmd.exe	89
PID 1192 wrote to memory of 2040	1192	cmd.exe	89
PID 5084 wrote to memory of 4276	5084	1006.exe	90
PID 5084 wrote to memory of 4276	5084	1006.exe	90
PID 5084 wrote to memory of 4276	5084	1006.exe	90
PID 4276 wrote to memory of 2300	4276	cmd.exe	92
PID 4276 wrote to memory of 2300	4276	cmd.exe	92
PID 4276 wrote to memory of 2300	4276	cmd.exe	92
PID 4276 wrote to memory of 4316	4276	cmd.exe	93
PID 4276 wrote to memory of 4316	4276	cmd.exe	93
PID 4276 wrote to memory of 4316	4276	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\1006.exe
"C:\Users\Admin\AppData\Local\Temp\1006.exe"
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    PID:4316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\00339c4758b6a02bbf789851014a1569\msgid.dat

Filesize
4B

MD5
fa733611ef13bd333ebfbab7eed14b63

SHA1
a3fc12f37f04ba3fa82daefe36bd945eee45682f

SHA256
d5202cfaa87f58037dbd7143fd3a1336dd15c50d58269d1f6a9dc3ea307dbb53

SHA512
c2671da490ca8d57b424e013f8886d43ef64061591a16673c0b355d2326d46ade7fff529a499019af547dc841851af281b97388505cc58c0360b63b9aa2ae10e

Download Submit
C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\286bbe96ed7078654695404e9c7a0e8e\Admin@HGXAIWVE_en-US\System\Process.txt

Filesize
4KB

MD5
e92bf9c721dae145a350dd4fdd144ef1

SHA1
2307fa250244bc419de1dbe3ac561e959ddcb17b

SHA256
1f64d3fe94de462aa5d9667758034b2cbae00362bf2cf965099c82049ffcd417

SHA512
4d4606cd626f96a5f5d4d9dd19b316391b2c84d1ed992fa04b76b30f8ee3fd89b3d9fe13f5eeac3f319f0030bae22d85153a5f4efa901b17fc48e92191ecee3f

Download Submit
memory/5084-273-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/5084-201-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/5084-135-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/5084-133-0x0000000000700000-0x000000000073E000-memory.dmp

Filesize
248KB

Download
memory/5084-274-0x0000000006770000-0x0000000006D14000-memory.dmp

Filesize
5.6MB

Download
memory/5084-276-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/5084-279-0x0000000005C30000-0x0000000005C3A000-memory.dmp

Filesize
40KB

Download
memory/5084-134-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/5084-285-0x0000000006380000-0x0000000006392000-memory.dmp

Filesize
72KB

Download
memory/5084-309-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing