Overview

overview

10

Static

static

10

JC_tmp.exe

windows7-x64

10

JC_tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2023, 17:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    JC_tmp.exe

  • Size

    175KB

  • MD5

    9f322fea404a9934e6c807108ebb2147

  • SHA1

    668174980eb20c9ce530b51e059714bc55a80d25

  • SHA256

    a3e5674bf7c3e285fb88bb0bfc284f3e74ece2706f46168c6da289e6267b96d7

  • SHA512

    2a5c3e87b7199f8b48cc0e8528e5d54052b7d8c596465666b13c4d348413931edf6985bbf3a72dcabdbb88363b4c073958081e534a79fb430ae2c3ddb4dbeb8d

  • SSDEEP

    3072:se8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gTewAqE+Wpor:FXtb5KcXr7XmfgqtjhAxZ0b2H

Score
10/10
asyncratstormkittydefaultratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6665962723:AAH0nnWqTYyuuRfHTzEtqpxN1oFN6NDMxRY/sendMessage?chat_id=1595024827
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 10 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JC_tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\JC_tmp.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:4260
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:5072
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:3932
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4876
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:1104
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:560

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\784a124155181d24a9160e9054f5847d\msgid.dat
                    Filesize

                    1B

                    MD5

                    cfcd208495d565ef66e7dff9f98764da

                    SHA1

                    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                    SHA256

                    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                    SHA512

                    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                    Download Submit

                  • C:\Users\Admin\AppData\Local\80b7151ef9385a8ed4e980c60948bbfd\Admin@MDUTPCWA_en-US\System\Process.txt
                    Filesize

                    4KB

                    MD5

                    596861ded1c3fee788165d5ba2aedb2f

                    SHA1

                    ce43a11b375e4036d57b554072e84bba96efa0d4

                    SHA256

                    141e0fe6d17396338754c33aad33a4aecfbcf7580d264b3637c2e8ae27ae878b

                    SHA512

                    486be9e2d6d82fce2a1d846d1c299927c8b27cf00f2155a83283fd1e60c67b64abb76a507457cb0d17ca6e84b9cd7eec96f08342bc45abf4458ff0170b87b38f

                    Download Submit

                  • memory/644-3-0x0000000005530000-0x0000000005596000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/644-1-0x0000000074AD0000-0x0000000075280000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/644-57-0x0000000074AD0000-0x0000000075280000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/644-83-0x00000000053A0000-0x00000000053B0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/644-2-0x00000000053A0000-0x00000000053B0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/644-149-0x00000000053A0000-0x00000000053B0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/644-151-0x0000000006390000-0x0000000006422000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/644-152-0x00000000069E0000-0x0000000006F84000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/644-156-0x00000000064B0000-0x00000000064BA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/644-157-0x00000000053A0000-0x00000000053B0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/644-0-0x0000000000A40000-0x0000000000A72000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/644-163-0x0000000006500000-0x0000000006512000-memory.dmp

                    Filesize

                    72KB

                    Download