asyncrat | 920ee4d6e16da14af70de3df554004024590cd31ac4b57c5338761b7838b3291

Resubmissions

02/02/2024, 15:59

240202-te4t8scbdp 10

02/02/2024, 15:54

240202-tcesbscahk 10

Analysis

max time kernel
1194s
max time network
873s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
02/02/2024, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SMS sender 2023/SMS sender 2023/SMS sender 2023.exe
Size

226KB
MD5

24dd26630b048cde008c05f926175a9b
SHA1

0b96f1ebd9b1be405c6e69aecb266089cd406ea7
SHA256

dba3b96b00b793eeccc62c2f973034a8813e6449f76a4dfdc9a2b0c38936b32f
SHA512

a869a5a768577552ed5fdd0f1957462d743254ec48ee75f6cfbd36a570c41e1b7c4f0f59eed5e6300ba100a958f4c883aa72d631e4b56a51596d395269c58eeb
SSDEEP

3072:N+STW8djpN6izj8mZw2g7uB1NUbBYp2TCnazbZHPzpq/Vp+8E89Fk6+Wp0:S8XN6W8mm2bnUbK2qazbZHl+F

Score

10^/10

asyncrat stormkitty default rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral11/memory/196-0-0x0000000000600000-0x000000000063E000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\882f63c3d8a121520800de580f0678fb\Admin@ZVXFTBZM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\882f63c3d8a121520800de580f0678fb\Admin@ZVXFTBZM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\882f63c3d8a121520800de580f0678fb\Admin@ZVXFTBZM_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\882f63c3d8a121520800de580f0678fb\Admin@ZVXFTBZM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\882f63c3d8a121520800de580f0678fb\Admin@ZVXFTBZM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\882f63c3d8a121520800de580f0678fb\Admin@ZVXFTBZM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\882f63c3d8a121520800de580f0678fb\Admin@ZVXFTBZM_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	SMS sender 2023.exe
File opened for modification	C:\Users\Admin\AppData\Local\882f63c3d8a121520800de580f0678fb\Admin@ZVXFTBZM_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SMS sender 2023.exe
File opened for modification	C:\Users\Admin\AppData\Local\882f63c3d8a121520800de580f0678fb\Admin@ZVXFTBZM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SMS sender 2023.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	SMS sender 2023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SMS sender 2023.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe
196	SMS sender 2023.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	196	SMS sender 2023.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 196 wrote to memory of 600	196	SMS sender 2023.exe	75
PID 196 wrote to memory of 600	196	SMS sender 2023.exe	75
PID 196 wrote to memory of 600	196	SMS sender 2023.exe	75
PID 600 wrote to memory of 4664	600	cmd.exe	77
PID 600 wrote to memory of 4664	600	cmd.exe	77
PID 600 wrote to memory of 4664	600	cmd.exe	77
PID 600 wrote to memory of 4232	600	cmd.exe	79
PID 600 wrote to memory of 4232	600	cmd.exe	79
PID 600 wrote to memory of 4232	600	cmd.exe	79
PID 600 wrote to memory of 1428	600	cmd.exe	78
PID 600 wrote to memory of 1428	600	cmd.exe	78
PID 600 wrote to memory of 1428	600	cmd.exe	78
PID 196 wrote to memory of 2868	196	SMS sender 2023.exe	80
PID 196 wrote to memory of 2868	196	SMS sender 2023.exe	80
PID 196 wrote to memory of 2868	196	SMS sender 2023.exe	80
PID 2868 wrote to memory of 1412	2868	cmd.exe	82
PID 2868 wrote to memory of 1412	2868	cmd.exe	82
PID 2868 wrote to memory of 1412	2868	cmd.exe	82
PID 2868 wrote to memory of 3880	2868	cmd.exe	83
PID 2868 wrote to memory of 3880	2868	cmd.exe	83
PID 2868 wrote to memory of 3880	2868	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\SMS sender 2023\SMS sender 2023\SMS sender 2023.exe
"C:\Users\Admin\AppData\Local\Temp\SMS sender 2023\SMS sender 2023\SMS sender 2023.exe"
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:196
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    PID:4232
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\882f63c3d8a121520800de580f0678fb\Admin@ZVXFTBZM_en-US\System\Process.txt

Filesize
4KB

MD5
bee3b78115097d4c94cc1793f49dc4c4

SHA1
f8f16322803e277e98ed24655ebbe2975bfeb6f0

SHA256
9756d0cf646c56c372fc0caa37f021f6890bcaaa0eac464fa2b0bf98a23a8e9d

SHA512
f64ded0f6a23313700b365f4d58ab56834dc4f1bbcedd5607910d6936ec7ba9367ffbbbc9b8370c6ecafcea19f0d3ea795b5db178febce264396faf4838e508a

Download Submit
C:\Users\Admin\AppData\Local\f08ae49c208a33db95627bfa95e6a3ae\msgid.dat

Filesize
4B

MD5
89a4779d3836ea432f7ea074e522a17e

SHA1
b1d49039967f7fd493ea6ebac0b5dabbc86e37bb

SHA256
9fc7ef2c7100149c53ca373e5f4a8cdeb1df6a787bf4e01dab583875c89d6c7f

SHA512
27e80c971712b8677c82d2e227e95b1faf8c8f1fb4b079f8aeaf84a93d59194db635442c00222eeeed4360d4dc6a0132fd15d4beb9c5b8f82e15a5a4c1f335d8

Download Submit
memory/196-3-0x0000000004FD0000-0x0000000005036000-memory.dmp

Filesize
408KB

Download
memory/196-0-0x0000000000600000-0x000000000063E000-memory.dmp

Filesize
248KB

Download
memory/196-2-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/196-120-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/196-121-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/196-122-0x0000000006040000-0x000000000653E000-memory.dmp

Filesize
5.0MB

Download
memory/196-126-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

Filesize
40KB

Download
memory/196-1-0x0000000073610000-0x0000000073CFE000-memory.dmp

Filesize
6.9MB

Download
memory/196-132-0x0000000005FF0000-0x0000000006002000-memory.dmp

Filesize
72KB

Download
memory/196-156-0x0000000073610000-0x0000000073CFE000-memory.dmp

Filesize
6.9MB

Download
memory/196-157-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download