asyncrat | 920ee4d6e16da14af70de3df554004024590cd31ac4b57c5338761b7838b3291

Resubmissions

02/02/2024, 15:59

240202-te4t8scbdp 10

02/02/2024, 15:54

240202-tcesbscahk 10

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SMS sender 2023/SMS sender 2023/SMS sender 2023.exe
Size

226KB
MD5

24dd26630b048cde008c05f926175a9b
SHA1

0b96f1ebd9b1be405c6e69aecb266089cd406ea7
SHA256

dba3b96b00b793eeccc62c2f973034a8813e6449f76a4dfdc9a2b0c38936b32f
SHA512

a869a5a768577552ed5fdd0f1957462d743254ec48ee75f6cfbd36a570c41e1b7c4f0f59eed5e6300ba100a958f4c883aa72d631e4b56a51596d395269c58eeb
SSDEEP

3072:N+STW8djpN6izj8mZw2g7uB1NUbBYp2TCnazbZHPzpq/Vp+8E89Fk6+Wp0:S8XN6W8mm2bnUbK2qazbZHl+F

Score

10^/10

asyncrat stormkitty default rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral16/memory/4312-0-0x0000000000020000-0x000000000005E000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\e60b0c7d9e6c8ba07f05443643ed3624\Admin@VFMDDVWB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SMS sender 2023.exe
File opened for modification	C:\Users\Admin\AppData\Local\e60b0c7d9e6c8ba07f05443643ed3624\Admin@VFMDDVWB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SMS sender 2023.exe
File opened for modification	C:\Users\Admin\AppData\Local\e60b0c7d9e6c8ba07f05443643ed3624\Admin@VFMDDVWB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\e60b0c7d9e6c8ba07f05443643ed3624\Admin@VFMDDVWB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\e60b0c7d9e6c8ba07f05443643ed3624\Admin@VFMDDVWB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\e60b0c7d9e6c8ba07f05443643ed3624\Admin@VFMDDVWB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\e60b0c7d9e6c8ba07f05443643ed3624\Admin@VFMDDVWB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	SMS sender 2023.exe
File created	C:\Users\Admin\AppData\Local\e60b0c7d9e6c8ba07f05443643ed3624\Admin@VFMDDVWB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SMS sender 2023.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	SMS sender 2023.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SMS sender 2023.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe
4312	SMS sender 2023.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4312	SMS sender 2023.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 752	4312	SMS sender 2023.exe	90
PID 4312 wrote to memory of 752	4312	SMS sender 2023.exe	90
PID 4312 wrote to memory of 752	4312	SMS sender 2023.exe	90
PID 752 wrote to memory of 3260	752	cmd.exe	92
PID 752 wrote to memory of 3260	752	cmd.exe	92
PID 752 wrote to memory of 3260	752	cmd.exe	92
PID 752 wrote to memory of 3172	752	cmd.exe	93
PID 752 wrote to memory of 3172	752	cmd.exe	93
PID 752 wrote to memory of 3172	752	cmd.exe	93
PID 752 wrote to memory of 1192	752	cmd.exe	94
PID 752 wrote to memory of 1192	752	cmd.exe	94
PID 752 wrote to memory of 1192	752	cmd.exe	94
PID 4312 wrote to memory of 3928	4312	SMS sender 2023.exe	95
PID 4312 wrote to memory of 3928	4312	SMS sender 2023.exe	95
PID 4312 wrote to memory of 3928	4312	SMS sender 2023.exe	95
PID 3928 wrote to memory of 3536	3928	cmd.exe	97
PID 3928 wrote to memory of 3536	3928	cmd.exe	97
PID 3928 wrote to memory of 3536	3928	cmd.exe	97
PID 3928 wrote to memory of 3996	3928	cmd.exe	98
PID 3928 wrote to memory of 3996	3928	cmd.exe	98
PID 3928 wrote to memory of 3996	3928	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\SMS sender 2023\SMS sender 2023\SMS sender 2023.exe
"C:\Users\Admin\AppData\Local\Temp\SMS sender 2023\SMS sender 2023\SMS sender 2023.exe"
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\558579f4e4ef5a9f2ddb980df33d45fa\msgid.dat

Filesize
4B

MD5
ee0e95249268b86ff2053bef214bfeda

SHA1
b49a202cd695007ac4a3749862f273f2e5dde766

SHA256
b35b03ac338d2ad7aefa7f39e2ccf16264f65654ea1aed633e0f2bbcbab1a7ad

SHA512
daf13e8aa62c46d3a4d8f715ea2cb6598ea456ba7cd4c2bd154a684477f4749765a6073bd1abe5a48a3f1b7d6da3302e086e4fcb893914c6b15b40fe93128ae8

Download Submit
C:\Users\Admin\AppData\Local\e60b0c7d9e6c8ba07f05443643ed3624\Admin@VFMDDVWB_en-US\System\Process.txt

Filesize
4KB

MD5
12692ede1dfb08323f6c81fe06689793

SHA1
251de10eba3cfec6c487f06a1ba038272692bfd0

SHA256
5b38622974fd59df71aff41dbffa78dfc31d5581fda74b37cfd381bfadda2cd6

SHA512
3ed4bb61bc8eaf0222459292e5bc70229da3ec78589087f200e4f3e4f619d2aa0755c67174475d8f4700ba249204d82c4072ca023c3909ef62e4197047b81d81

Download Submit
memory/4312-149-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4312-3-0x0000000004D70000-0x0000000004DD6000-memory.dmp

Filesize
408KB

Download
memory/4312-2-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4312-150-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/4312-0-0x0000000000020000-0x000000000005E000-memory.dmp

Filesize
248KB

Download
memory/4312-151-0x00000000060C0000-0x0000000006664000-memory.dmp

Filesize
5.6MB

Download
memory/4312-155-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/4312-156-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4312-157-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4312-1-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/4312-163-0x00000000055F0000-0x0000000005602000-memory.dmp

Filesize
72KB

Download
memory/4312-188-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download