Malware Analysis Report

2025-01-03 06:26

Sample ID 230926-pwy8vsaf43
Target 68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e
SHA256 68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e
Tags
rat default asyncrat stormkitty discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e

Threat Level: Known bad

The file 68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stormkitty discovery spyware stealer

AsyncRat

Asyncrat family

Async RAT payload

StormKitty payload

StormKitty

Async RAT payload

Reads user/profile data of web browsers

Checks installed software on the system

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-26 12:41

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-26 12:41

Reported

2023-09-26 12:44

Platform

win10v2004-20230915-en

Max time kernel

141s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e.exe

"C:\Users\Admin\AppData\Local\Temp\68c2a97252cfef191ad5dd8fd7facd69019f2592eadc8b86cfbae04daf92c56e.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
VN 103.38.236.46:4449 tcp
US 8.8.8.8:53 46.236.38.103.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
VN 103.38.236.46:4449 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
VN 103.38.236.46:4449 tcp
VN 103.38.236.46:4449 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
VN 103.38.236.46:4449 tcp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/4828-0-0x0000000000390000-0x00000000003A8000-memory.dmp

memory/4828-1-0x00007FFFC3600000-0x00007FFFC40C1000-memory.dmp

memory/4828-3-0x0000000002480000-0x0000000002490000-memory.dmp

memory/4828-6-0x00007FFFE1010000-0x00007FFFE1205000-memory.dmp

memory/4828-8-0x0000000002480000-0x0000000002490000-memory.dmp

memory/4828-9-0x0000000002480000-0x0000000002490000-memory.dmp

memory/4828-10-0x00007FFFC3600000-0x00007FFFC40C1000-memory.dmp

memory/4828-11-0x0000000002480000-0x0000000002490000-memory.dmp

memory/4828-12-0x00007FFFE1010000-0x00007FFFE1205000-memory.dmp

memory/4828-13-0x000000001C380000-0x000000001C3F6000-memory.dmp

memory/4828-14-0x000000001C300000-0x000000001C30E000-memory.dmp

memory/4828-15-0x000000001C330000-0x000000001C34E000-memory.dmp

memory/4828-17-0x000000001C700000-0x000000001C766000-memory.dmp

memory/4828-16-0x000000001C310000-0x000000001C31E000-memory.dmp

memory/4828-18-0x000000001C320000-0x000000001C32A000-memory.dmp

memory/4828-20-0x0000000002480000-0x0000000002490000-memory.dmp

memory/4828-21-0x0000000002480000-0x0000000002490000-memory.dmp

memory/4828-22-0x000000001CD60000-0x000000001CE82000-memory.dmp

memory/4828-64-0x000000001C1A0000-0x000000001C1C2000-memory.dmp

memory/4684-65-0x00000223ACC40000-0x00000223ACC50000-memory.dmp

memory/4684-81-0x00000223ACD40000-0x00000223ACD50000-memory.dmp

memory/4684-97-0x00000223B52A0000-0x00000223B52A1000-memory.dmp

memory/4684-98-0x00000223B52D0000-0x00000223B52D1000-memory.dmp

memory/4684-99-0x00000223B52D0000-0x00000223B52D1000-memory.dmp

memory/4684-100-0x00000223B52D0000-0x00000223B52D1000-memory.dmp

memory/4684-101-0x00000223B52D0000-0x00000223B52D1000-memory.dmp

memory/4684-102-0x00000223B52D0000-0x00000223B52D1000-memory.dmp

memory/4684-103-0x00000223B52D0000-0x00000223B52D1000-memory.dmp

memory/4684-104-0x00000223B52D0000-0x00000223B52D1000-memory.dmp

memory/4684-105-0x00000223B52D0000-0x00000223B52D1000-memory.dmp

memory/4684-106-0x00000223B52D0000-0x00000223B52D1000-memory.dmp

memory/4684-107-0x00000223B52D0000-0x00000223B52D1000-memory.dmp

memory/4684-108-0x00000223B4F00000-0x00000223B4F01000-memory.dmp

memory/4684-109-0x00000223B4EF0000-0x00000223B4EF1000-memory.dmp

memory/4684-111-0x00000223B4F00000-0x00000223B4F01000-memory.dmp

memory/4684-114-0x00000223B4EF0000-0x00000223B4EF1000-memory.dmp

memory/4684-117-0x00000223AC5E0000-0x00000223AC5E1000-memory.dmp

memory/4684-129-0x00000223B5020000-0x00000223B5021000-memory.dmp

memory/4684-131-0x00000223B5030000-0x00000223B5031000-memory.dmp

memory/4684-132-0x00000223B5030000-0x00000223B5031000-memory.dmp

memory/4684-133-0x00000223B5140000-0x00000223B5141000-memory.dmp