Analysis Overview
SHA256
24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
Threat Level: Known bad
The file 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1 was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
Async RAT payload
Asyncrat family
Stormkitty family
AsyncRat
StormKitty
Async RAT payload
Reads user/profile data of web browsers
Looks up geolocation information via web service
Looks up external IP address via web service
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-16 13:54
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-16 13:54
Reported
2023-08-16 13:57
Platform
win10v2004-20230703-en
Max time kernel
145s
Max time network
145s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe
"C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 97.115.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 254.138.241.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/3460-136-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/3460-137-0x00000000005F0000-0x0000000000622000-memory.dmp
memory/3460-138-0x0000000005060000-0x0000000005070000-memory.dmp
memory/3460-139-0x00000000052E0000-0x0000000005346000-memory.dmp
memory/3460-140-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/3460-141-0x0000000005060000-0x0000000005070000-memory.dmp
C:\Users\Admin\AppData\Local\e65ccc2e0392cbfa7161d7bb110f449a\Admin@LMMMEQUO_en-US\System\Process.txt
| MD5 | 5c2e74c7b75250a7c3fa722c13eae920 |
| SHA1 | 798ddc4a1a0cabd7c4ac1c71d2e33d674c0efa68 |
| SHA256 | e5a1ffb31c51874481ee5c19546473ea078f737a9ec091d699e6e8cb9ebbb8f9 |
| SHA512 | 0f7d72430298d2580617ee0f03172b10849982fe8f5517abd0a8b49195f49558521e554028733be562ad9c8964ff2672483340ef9243ce4cd8fb74d70cf189e7 |
memory/3460-286-0x0000000005060000-0x0000000005070000-memory.dmp
memory/3460-288-0x0000000005F40000-0x0000000005FD2000-memory.dmp
memory/3460-289-0x0000000006590000-0x0000000006B34000-memory.dmp
memory/3460-293-0x0000000006180000-0x000000000618A000-memory.dmp
memory/3460-294-0x0000000005060000-0x0000000005070000-memory.dmp
C:\Users\Admin\AppData\Local\b76571940c56bc8309f11562e1d20fd0\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/3460-300-0x0000000006CE0000-0x0000000006CF2000-memory.dmp