Analysis Overview
SHA256
03a3b480a717c57dc876d668d6be89ecf2f75c1c50fc0660ee5b6350dd3e9494
Threat Level: Known bad
The file Prysmax Stealer v4.0 @blackcrackr.exe was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Stormkitty family
Asyncrat family
StormKitty payload
AsyncRat
StormKitty
Async RAT payload
Reads user/profile data of web browsers
Looks up external IP address via web service
Looks up geolocation information via web service
Drops desktop.ini file(s)
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-26 16:18
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-26 16:18
Reported
2023-09-26 16:21
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe
"C:\Users\Admin\AppData\Local\Temp\Prysmax Stealer v4.0 @blackcrackr.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.5.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 97.114.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
memory/4772-0-0x0000000000050000-0x0000000000080000-memory.dmp
memory/4772-1-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/4772-2-0x0000000004A70000-0x0000000004A80000-memory.dmp
memory/4772-3-0x0000000004B80000-0x0000000004BE6000-memory.dmp
memory/520-41-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp
memory/520-44-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp
memory/520-50-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp
C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/520-67-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp
memory/520-59-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp
memory/520-69-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp
memory/520-71-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp
memory/520-70-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp
memory/520-72-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp
memory/520-73-0x000001D3E5A60000-0x000001D3E5A61000-memory.dmp
memory/4772-78-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/4772-85-0x0000000004A70000-0x0000000004A80000-memory.dmp
C:\Users\Admin\AppData\Local\9b6d11a470156eca57c53b207bac461f\Admin@SMIJWJMH_en-US\System\Process.txt
| MD5 | 5e13a183f1d009256ae5f55933a17565 |
| SHA1 | 1e907d839592d51918777c5193ef07380d9b0ca2 |
| SHA256 | bd6d89fcbd5e5e16db25de3cc6e1da8459a4d9d11cf260257dfad631b733c27a |
| SHA512 | 9c79f1d0b66b076bf9d4ea9d1e1390454532fef6003e938acaabd276b6639706a54a468a3b1047e6cf48eafb938075176365995c11317aa0ecef21c2960908d8 |
memory/4772-169-0x0000000004A70000-0x0000000004A80000-memory.dmp
memory/4772-171-0x0000000005990000-0x0000000005A22000-memory.dmp
memory/4772-172-0x0000000005FE0000-0x0000000006584000-memory.dmp
memory/4772-176-0x0000000005AC0000-0x0000000005ACA000-memory.dmp
C:\Users\Admin\AppData\Local\dffaeb0d926bd07d8a3f05eb1e5be402\msgid.dat
| MD5 | e2eacaff46787bfeefcaa24cf35264c7 |
| SHA1 | f19cfbfd92943598a5fd121803f33aa27a6a7737 |
| SHA256 | 9a094988ee453389615f0706c2467b3f4ac80ea300d3ba1f20d3698d5f5dbafa |
| SHA512 | f8bca6b6817e929a8fb2e257a203729690a6c8f7717f537a1f1d803bfb3be9eaa8c5a0efa4ba1d144c2fa1c802ff7aa460a089da79c96c0fffdac2854518aabe |
memory/4772-182-0x0000000006950000-0x0000000006962000-memory.dmp
memory/4772-207-0x0000000004A70000-0x0000000004A80000-memory.dmp