asyncrat | d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a

General

Target

Dekont.pdf.exe
Size

1006KB
MD5

9b37096274af2542b2e8e5460a32ad92
SHA1

fd1bd3fe73844de5f69dfc4b42e9f40aa4395308
SHA256

d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a
SHA512

2297155b35eadd6d0fcad613d954558f116c9ff660ce7470f428123a99840747056e8648d51c31b86ccd900ace9075f4888e47dd9cac8dc228f40c21e49de994
SSDEEP

24576:2TbBv5rUDKoU7LEoW9MZBGa6mXcqIAXiAZfzI6l:IBUUPEjKGLAXiAZz

Score

10^/10

asyncrat stormkitty default rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/1104-58-0x00000000002D0000-0x00000000012D0000-memory.dmp	family_stormkitty
behavioral1/memory/1104-60-0x00000000002D0000-0x00000000012D0000-memory.dmp	family_stormkitty
behavioral1/memory/1104-62-0x00000000002D0000-0x00000000012D0000-memory.dmp	family_stormkitty
behavioral1/memory/1104-63-0x00000000002D0000-0x0000000000300000-memory.dmp	family_stormkitty
behavioral1/memory/1104-65-0x0000000010F70000-0x0000000010FB0000-memory.dmp	family_stormkitty

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1104-58-0x00000000002D0000-0x00000000012D0000-memory.dmp	asyncrat
behavioral1/memory/1104-60-0x00000000002D0000-0x00000000012D0000-memory.dmp	asyncrat
behavioral1/memory/1104-62-0x00000000002D0000-0x00000000012D0000-memory.dmp	asyncrat
behavioral1/memory/1104-63-0x00000000002D0000-0x0000000000300000-memory.dmp	asyncrat
behavioral1/memory/1104-65-0x0000000010F70000-0x0000000010FB0000-memory.dmp	asyncrat

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2548	ipconfig.exe
1796	ipconfig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2728	2144	Dekont.pdf.exe	27
PID 2144 wrote to memory of 2728	2144	Dekont.pdf.exe	27
PID 2144 wrote to memory of 2728	2144	Dekont.pdf.exe	27
PID 2144 wrote to memory of 2728	2144	Dekont.pdf.exe	27

C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\dgmc.vbe"
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    PID:2124
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c innlltqdtq.exe tirru.msc
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    PID:1268

C:\Users\Admin\AppData\Local\Temp\RarSFX0\innlltqdtq.exe
innlltqdtq.exe tirru.msc
1⤵
PID:524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:1320
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1304

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
1⤵
- Gathers network information
PID:1796

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:2792

C:\Windows\SysWOW64\findstr.exe
findstr All
1⤵
PID:1948

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dgmc.vbe

Filesize
61KB

MD5
223e418a5069dfcfb8d61f5b4519a123

SHA1
9d68dec1ac850812890321e836c9dfd207409776

SHA256
dbb4a26b43ad9039c07a966522f664ff9d95511d36e35c7f8b7b233e8bbbbd84

SHA512
d25d601e14ba9506c2423c2dd37770436fa894bc26d55b9bbae7bdb77846a6c96d9717f0e4605f72a6e20f327b0079aac6f0c129885e62b2ecd2412b67f13fee

Download Submit
memory/1104-56-0x00000000002D0000-0x00000000012D0000-memory.dmp

Filesize
16.0MB

Download
memory/1104-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1104-58-0x00000000002D0000-0x00000000012D0000-memory.dmp

Filesize
16.0MB

Download
memory/1104-60-0x00000000002D0000-0x00000000012D0000-memory.dmp

Filesize
16.0MB

Download
memory/1104-62-0x00000000002D0000-0x00000000012D0000-memory.dmp

Filesize
16.0MB

Download
memory/1104-63-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/1104-64-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/1104-65-0x0000000010F70000-0x0000000010FB0000-memory.dmp

Filesize
256KB

Download
memory/1104-133-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/1104-141-0x0000000010F70000-0x0000000010FB0000-memory.dmp

Filesize
256KB

Download
memory/1104-140-0x0000000010F70000-0x0000000010FB0000-memory.dmp

Filesize
256KB

Download
memory/1104-211-0x0000000010F70000-0x0000000010FB0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing