Malware Analysis Report

2025-01-03 06:32

Sample ID 230816-q7tyysbc24
Target 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
Tags
rat default asyncrat stormkitty spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1

Threat Level: Known bad

The file 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1 was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stormkitty spyware stealer

StormKitty payload

Async RAT payload

Asyncrat family

Stormkitty family

AsyncRat

StormKitty

Async RAT payload

Reads user/profile data of web browsers

Looks up geolocation information via web service

Looks up external IP address via web service

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-16 13:54

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-16 13:54

Reported

2023-08-16 13:57

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
File created C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
File created C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
File created C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
File created C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
File created C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3460 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4048 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4048 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4048 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4048 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4048 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4048 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4048 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4048 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3460 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1116 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1116 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1116 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1116 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1116 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe

"C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 254.138.241.8.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/3460-136-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/3460-137-0x00000000005F0000-0x0000000000622000-memory.dmp

memory/3460-138-0x0000000005060000-0x0000000005070000-memory.dmp

memory/3460-139-0x00000000052E0000-0x0000000005346000-memory.dmp

memory/3460-140-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/3460-141-0x0000000005060000-0x0000000005070000-memory.dmp

C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\System\Process.txt

MD5 5c2e74c7b75250a7c3fa722c13eae920
SHA1 798ddc4a1a0cabd7c4ac1c71d2e33d674c0efa68
SHA256 e5a1ffb31c51874481ee5c19546473ea078f737a9ec091d699e6e8cb9ebbb8f9
SHA512 0f7d72430298d2580617ee0f03172b10849982fe8f5517abd0a8b49195f49558521e554028733be562ad9c8964ff2672483340ef9243ce4cd8fb74d70cf189e7

memory/3460-286-0x0000000005060000-0x0000000005070000-memory.dmp

memory/3460-288-0x0000000005F40000-0x0000000005FD2000-memory.dmp

memory/3460-289-0x0000000006590000-0x0000000006B34000-memory.dmp

memory/3460-293-0x0000000006180000-0x000000000618A000-memory.dmp

memory/3460-294-0x0000000005060000-0x0000000005070000-memory.dmp

C:\Users\Admin\AppData\Local\b76571940c56bc8309f11562e1d20fd0\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/3460-300-0x0000000006CE0000-0x0000000006CF2000-memory.dmp