Analysis Overview
SHA256
68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e
Threat Level: Known bad
The file 68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
StormKitty payload
StormKitty
Async RAT payload
Reads user/profile data of web browsers
Checks installed software on the system
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-26 12:41
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-26 12:41
Reported
2023-09-26 12:44
Platform
win10v2004-20230915-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e.exe
"C:\Users\Admin\AppData\Local\Temp\68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.20.238.8.in-addr.arpa | udp |
| VN | 103.38.236.46:4449 | tcp | |
| US | 8.8.8.8:53 | 46.236.38.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| VN | 103.38.236.46:4449 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| VN | 103.38.236.46:4449 | tcp | |
| VN | 103.38.236.46:4449 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| VN | 103.38.236.46:4449 | tcp | |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
memory/4828-0-0x0000000000390000-0x00000000003A8000-memory.dmp
memory/4828-1-0x00007FFFC3600000-0x00007FFFC40C1000-memory.dmp
memory/4828-3-0x0000000002480000-0x0000000002490000-memory.dmp
memory/4828-6-0x00007FFFE1010000-0x00007FFFE1205000-memory.dmp
memory/4828-8-0x0000000002480000-0x0000000002490000-memory.dmp
memory/4828-9-0x0000000002480000-0x0000000002490000-memory.dmp
memory/4828-10-0x00007FFFC3600000-0x00007FFFC40C1000-memory.dmp
memory/4828-11-0x0000000002480000-0x0000000002490000-memory.dmp
memory/4828-12-0x00007FFFE1010000-0x00007FFFE1205000-memory.dmp
memory/4828-13-0x000000001C380000-0x000000001C3F6000-memory.dmp
memory/4828-14-0x000000001C300000-0x000000001C30E000-memory.dmp
memory/4828-15-0x000000001C330000-0x000000001C34E000-memory.dmp
memory/4828-17-0x000000001C700000-0x000000001C766000-memory.dmp
memory/4828-16-0x000000001C310000-0x000000001C31E000-memory.dmp
memory/4828-18-0x000000001C320000-0x000000001C32A000-memory.dmp
memory/4828-20-0x0000000002480000-0x0000000002490000-memory.dmp
memory/4828-21-0x0000000002480000-0x0000000002490000-memory.dmp
memory/4828-22-0x000000001CD60000-0x000000001CE82000-memory.dmp
memory/4828-64-0x000000001C1A0000-0x000000001C1C2000-memory.dmp
memory/4684-65-0x00000223ACC40000-0x00000223ACC50000-memory.dmp
memory/4684-81-0x00000223ACD40000-0x00000223ACD50000-memory.dmp
memory/4684-97-0x00000223B52A0000-0x00000223B52A1000-memory.dmp
memory/4684-98-0x00000223B52D0000-0x00000223B52D1000-memory.dmp
memory/4684-99-0x00000223B52D0000-0x00000223B52D1000-memory.dmp
memory/4684-100-0x00000223B52D0000-0x00000223B52D1000-memory.dmp
memory/4684-101-0x00000223B52D0000-0x00000223B52D1000-memory.dmp
memory/4684-102-0x00000223B52D0000-0x00000223B52D1000-memory.dmp
memory/4684-103-0x00000223B52D0000-0x00000223B52D1000-memory.dmp
memory/4684-104-0x00000223B52D0000-0x00000223B52D1000-memory.dmp
memory/4684-105-0x00000223B52D0000-0x00000223B52D1000-memory.dmp
memory/4684-106-0x00000223B52D0000-0x00000223B52D1000-memory.dmp
memory/4684-107-0x00000223B52D0000-0x00000223B52D1000-memory.dmp
memory/4684-108-0x00000223B4F00000-0x00000223B4F01000-memory.dmp
memory/4684-109-0x00000223B4EF0000-0x00000223B4EF1000-memory.dmp
memory/4684-111-0x00000223B4F00000-0x00000223B4F01000-memory.dmp
memory/4684-114-0x00000223B4EF0000-0x00000223B4EF1000-memory.dmp
memory/4684-117-0x00000223AC5E0000-0x00000223AC5E1000-memory.dmp
memory/4684-129-0x00000223B5020000-0x00000223B5021000-memory.dmp
memory/4684-131-0x00000223B5030000-0x00000223B5031000-memory.dmp
memory/4684-132-0x00000223B5030000-0x00000223B5031000-memory.dmp
memory/4684-133-0x00000223B5140000-0x00000223B5141000-memory.dmp