asyncrat | 163b9785fdeb5b8e317e5d651e2e3bccf244f864921574dc4c73281389cbce82

General

Target

instagram 0day.exe
Size

170KB
MD5

4d2538cac244ad3f315436c6fbe2f12f
SHA1

67b671bcda3c13e7b085378f7dfc766fe15bec18
SHA256

163b9785fdeb5b8e317e5d651e2e3bccf244f864921574dc4c73281389cbce82
SHA512

46170ad6b178cc61a5b6dd07eccfc4f2d5e379eb97266289f85e3b07fb85ea12e08104a42ca7af7bdc3065862b5f482039342d5dbe8b9eb8c06ad7ff8f87fbdd
SSDEEP

3072:++STW8djpN6izj8mZwdJqutB+YDpqIPu/i9bVK2cwtEL6+Wp7:j8XN6W8mmHPtppXPSi9b44E

Score

10^/10

asyncrat stormkitty default rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5636417446:AAGa4gvWAKcDCv7f9c8u42_399xKPfEkUlQ/sendMessage?chat_id=5331885311

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4168-0-0x00000000005C0000-0x00000000005F0000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4168-0-0x00000000005C0000-0x00000000005F0000-memory.dmp	asyncrat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\9f5fe481cdc5273791d9990601bca11c\Admin@NVYNMMTR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	instagram 0day.exe
File created	C:\Users\Admin\AppData\Local\9f5fe481cdc5273791d9990601bca11c\Admin@NVYNMMTR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	instagram 0day.exe
File created	C:\Users\Admin\AppData\Local\9f5fe481cdc5273791d9990601bca11c\Admin@NVYNMMTR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	instagram 0day.exe
File opened for modification	C:\Users\Admin\AppData\Local\9f5fe481cdc5273791d9990601bca11c\Admin@NVYNMMTR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	instagram 0day.exe
File opened for modification	C:\Users\Admin\AppData\Local\9f5fe481cdc5273791d9990601bca11c\Admin@NVYNMMTR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	instagram 0day.exe
File created	C:\Users\Admin\AppData\Local\9f5fe481cdc5273791d9990601bca11c\Admin@NVYNMMTR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	instagram 0day.exe
File created	C:\Users\Admin\AppData\Local\9f5fe481cdc5273791d9990601bca11c\Admin@NVYNMMTR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	instagram 0day.exe
File created	C:\Users\Admin\AppData\Local\9f5fe481cdc5273791d9990601bca11c\Admin@NVYNMMTR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	instagram 0day.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	instagram 0day.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	instagram 0day.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe
4168	instagram 0day.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4168	instagram 0day.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 1476	4168	instagram 0day.exe	89
PID 4168 wrote to memory of 1476	4168	instagram 0day.exe	89
PID 4168 wrote to memory of 1476	4168	instagram 0day.exe	89
PID 1476 wrote to memory of 3960	1476	cmd.exe	91
PID 1476 wrote to memory of 3960	1476	cmd.exe	91
PID 1476 wrote to memory of 3960	1476	cmd.exe	91
PID 1476 wrote to memory of 2080	1476	cmd.exe	92
PID 1476 wrote to memory of 2080	1476	cmd.exe	92
PID 1476 wrote to memory of 2080	1476	cmd.exe	92
PID 1476 wrote to memory of 4892	1476	cmd.exe	93
PID 1476 wrote to memory of 4892	1476	cmd.exe	93
PID 1476 wrote to memory of 4892	1476	cmd.exe	93
PID 4168 wrote to memory of 4416	4168	instagram 0day.exe	95
PID 4168 wrote to memory of 4416	4168	instagram 0day.exe	95
PID 4168 wrote to memory of 4416	4168	instagram 0day.exe	95
PID 4416 wrote to memory of 1676	4416	cmd.exe	97
PID 4416 wrote to memory of 1676	4416	cmd.exe	97
PID 4416 wrote to memory of 1676	4416	cmd.exe	97
PID 4416 wrote to memory of 2104	4416	cmd.exe	98
PID 4416 wrote to memory of 2104	4416	cmd.exe	98
PID 4416 wrote to memory of 2104	4416	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\instagram 0day.exe
"C:\Users\Admin\AppData\Local\Temp\instagram 0day.exe"
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    PID:4892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9f5fe481cdc5273791d9990601bca11c\Admin@NVYNMMTR_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\9f5fe481cdc5273791d9990601bca11c\Admin@NVYNMMTR_en-US\System\Process.txt

Filesize
4KB

MD5
95b5d51322c037b60b5f335d52cf2c48

SHA1
8e45858ed9b7961570a3d8dbb8a7e92efee3c89b

SHA256
af5abd1aa34714478b43e991755ac132ce7bd351889b848d7e16953c260d86f1

SHA512
8717bdde10affa1500c23a56656bcb615237f8d34be8f1f07356568331656d3157831818c0988e9a57e67ee5e1aff0a882b0baa671f197857a882835faf60ea1

Download Submit
C:\Users\Admin\AppData\Local\b39ec3fec1fe1e959fbf3186130860c9\msgid.dat

Filesize
5B

MD5
d41e2a728f38a9616dab93f5c99a3940

SHA1
a6ec8811406f50384cff7890f126a425ca465072

SHA256
3770cb5540de45f78a1e3c0e9191016382a719b71521140434f73cd3a5b6a0da

SHA512
9b82f10e787ec2b0e5b83adbdbe41d8e0036814153231cdf39704ba6011b2104d324387ce3791240ddb72f125f044517a4c7bd770bbefa35bfb8c96f3fa18340

Download Submit
memory/4168-72-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4168-4-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4168-3-0x00000000050E0000-0x0000000005146000-memory.dmp

Filesize
408KB

Download
memory/4168-0-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/4168-2-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4168-148-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4168-150-0x0000000005F00000-0x0000000005F92000-memory.dmp

Filesize
584KB

Download
memory/4168-151-0x0000000006550000-0x0000000006AF4000-memory.dmp

Filesize
5.6MB

Download
memory/4168-155-0x0000000006120000-0x000000000612A000-memory.dmp

Filesize
40KB

Download
memory/4168-1-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4168-161-0x00000000062C0000-0x00000000062D2000-memory.dmp

Filesize
72KB

Download
memory/4168-184-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing