asyncrat | d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe
Size

1006KB
MD5

9b37096274af2542b2e8e5460a32ad92
SHA1

fd1bd3fe73844de5f69dfc4b42e9f40aa4395308
SHA256

d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a
SHA512

2297155b35eadd6d0fcad613d954558f116c9ff660ce7470f428123a99840747056e8648d51c31b86ccd900ace9075f4888e47dd9cac8dc228f40c21e49de994
SSDEEP

24576:2TbBv5rUDKoU7LEoW9MZBGa6mXcqIAXiAZfzI6l:IBUUPEjKGLAXiAZz

Score

10^/10

asyncrat stormkitty default rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/1592-58-0x00000000012A0000-0x00000000022A0000-memory.dmp	family_stormkitty
behavioral1/memory/1592-60-0x00000000012A0000-0x00000000022A0000-memory.dmp	family_stormkitty
behavioral1/memory/1592-62-0x00000000012A0000-0x00000000022A0000-memory.dmp	family_stormkitty
behavioral1/memory/1592-63-0x00000000012A0000-0x00000000012D0000-memory.dmp	family_stormkitty
behavioral1/memory/1592-65-0x0000000000CE0000-0x0000000000D20000-memory.dmp	family_stormkitty

Executes dropped EXE 1 IoCs

pid	Process
596	innlltqdtq.exe

Loads dropped DLL 1 IoCs

pid	Process
2000	cmd.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\6fcd8a8fe803777f3dbb82604d7347ca\Admin@UADPPTXT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\6fcd8a8fe803777f3dbb82604d7347ca\Admin@UADPPTXT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\6fcd8a8fe803777f3dbb82604d7347ca\Admin@UADPPTXT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Local\6fcd8a8fe803777f3dbb82604d7347ca\Admin@UADPPTXT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\6fcd8a8fe803777f3dbb82604d7347ca\Admin@UADPPTXT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 596 set thread context of 1592	596	innlltqdtq.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegSvcs.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
592	ipconfig.exe
964	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
596	innlltqdtq.exe
596	innlltqdtq.exe
596	innlltqdtq.exe
596	innlltqdtq.exe
596	innlltqdtq.exe
596	innlltqdtq.exe
1592	RegSvcs.exe
1592	RegSvcs.exe
1592	RegSvcs.exe
1592	RegSvcs.exe
1592	RegSvcs.exe
1592	RegSvcs.exe
1592	RegSvcs.exe
1592	RegSvcs.exe
1592	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2468	2208	d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe	28
PID 2208 wrote to memory of 2468	2208	d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe	28
PID 2208 wrote to memory of 2468	2208	d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe	28
PID 2208 wrote to memory of 2468	2208	d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe	28
PID 2468 wrote to memory of 1344	2468	WScript.exe	29
PID 2468 wrote to memory of 1344	2468	WScript.exe	29
PID 2468 wrote to memory of 1344	2468	WScript.exe	29
PID 2468 wrote to memory of 1344	2468	WScript.exe	29
PID 2468 wrote to memory of 2000	2468	WScript.exe	31
PID 2468 wrote to memory of 2000	2468	WScript.exe	31
PID 2468 wrote to memory of 2000	2468	WScript.exe	31
PID 2468 wrote to memory of 2000	2468	WScript.exe	31
PID 1344 wrote to memory of 592	1344	cmd.exe	33
PID 1344 wrote to memory of 592	1344	cmd.exe	33
PID 1344 wrote to memory of 592	1344	cmd.exe	33
PID 1344 wrote to memory of 592	1344	cmd.exe	33
PID 2000 wrote to memory of 596	2000	cmd.exe	34
PID 2000 wrote to memory of 596	2000	cmd.exe	34
PID 2000 wrote to memory of 596	2000	cmd.exe	34
PID 2000 wrote to memory of 596	2000	cmd.exe	34
PID 2468 wrote to memory of 1108	2468	WScript.exe	36
PID 2468 wrote to memory of 1108	2468	WScript.exe	36
PID 2468 wrote to memory of 1108	2468	WScript.exe	36
PID 2468 wrote to memory of 1108	2468	WScript.exe	36
PID 596 wrote to memory of 1592	596	innlltqdtq.exe	35
PID 596 wrote to memory of 1592	596	innlltqdtq.exe	35
PID 596 wrote to memory of 1592	596	innlltqdtq.exe	35
PID 596 wrote to memory of 1592	596	innlltqdtq.exe	35
PID 596 wrote to memory of 1592	596	innlltqdtq.exe	35
PID 596 wrote to memory of 1592	596	innlltqdtq.exe	35
PID 596 wrote to memory of 1592	596	innlltqdtq.exe	35
PID 1108 wrote to memory of 964	1108	cmd.exe	38
PID 1108 wrote to memory of 964	1108	cmd.exe	38
PID 1108 wrote to memory of 964	1108	cmd.exe	38
PID 1108 wrote to memory of 964	1108	cmd.exe	38
PID 596 wrote to memory of 1592	596	innlltqdtq.exe	35
PID 596 wrote to memory of 1592	596	innlltqdtq.exe	35
PID 1592 wrote to memory of 2752	1592	RegSvcs.exe	42
PID 1592 wrote to memory of 2752	1592	RegSvcs.exe	42
PID 1592 wrote to memory of 2752	1592	RegSvcs.exe	42
PID 1592 wrote to memory of 2752	1592	RegSvcs.exe	42
PID 2752 wrote to memory of 1632	2752	cmd.exe	44
PID 2752 wrote to memory of 1632	2752	cmd.exe	44
PID 2752 wrote to memory of 1632	2752	cmd.exe	44
PID 2752 wrote to memory of 1632	2752	cmd.exe	44
PID 2752 wrote to memory of 2132	2752	cmd.exe	45
PID 2752 wrote to memory of 2132	2752	cmd.exe	45
PID 2752 wrote to memory of 2132	2752	cmd.exe	45
PID 2752 wrote to memory of 2132	2752	cmd.exe	45
PID 2752 wrote to memory of 1672	2752	cmd.exe	46
PID 2752 wrote to memory of 1672	2752	cmd.exe	46
PID 2752 wrote to memory of 1672	2752	cmd.exe	46
PID 2752 wrote to memory of 1672	2752	cmd.exe	46
PID 1592 wrote to memory of 980	1592	RegSvcs.exe	47
PID 1592 wrote to memory of 980	1592	RegSvcs.exe	47
PID 1592 wrote to memory of 980	1592	RegSvcs.exe	47
PID 1592 wrote to memory of 980	1592	RegSvcs.exe	47
PID 980 wrote to memory of 2908	980	cmd.exe	49
PID 980 wrote to memory of 2908	980	cmd.exe	49
PID 980 wrote to memory of 2908	980	cmd.exe	49
PID 980 wrote to memory of 2908	980	cmd.exe	49
PID 980 wrote to memory of 1348	980	cmd.exe	50
PID 980 wrote to memory of 1348	980	cmd.exe	50
PID 980 wrote to memory of 1348	980	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe
"C:\Users\Admin\AppData\Local\Temp\d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\dgmc.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c innlltqdtq.exe tirru.msc
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\innlltqdtq.exe
      innlltqdtq.exe tirru.msc
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:1672
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f57c6c591f604748c658dd0fdda2f2a

SHA1
403a8fcc80d534c388fc706c4f63ea4dd5f47ea2

SHA256
aa33505e3d6cac84e0fea3f8999f702e5fd0cfefe90471e8634c883bd6b45646

SHA512
6402d88fbe940525d37b3a557d3fcd68676f4c2c7c3bb98d5719dd08a7d68818ccf9c91f604376326e09a3fc48b71a1db507f55636d8ad78ff7a9b5613d8d5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1935.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dgmc.vbe

Filesize
61KB

MD5
223e418a5069dfcfb8d61f5b4519a123

SHA1
9d68dec1ac850812890321e836c9dfd207409776

SHA256
dbb4a26b43ad9039c07a966522f664ff9d95511d36e35c7f8b7b233e8bbbbd84

SHA512
d25d601e14ba9506c2423c2dd37770436fa894bc26d55b9bbae7bdb77846a6c96d9717f0e4605f72a6e20f327b0079aac6f0c129885e62b2ecd2412b67f13fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jmsfmvjc.3gp

Filesize
42KB

MD5
802a42df47211020f63e3a050b3dbcd8

SHA1
b7037c56899d4032c5fbfaf3b54d202cbf415615

SHA256
52904d235ea9092b2a021827b3249a954e800931c8e44b067fb79bb8887496f7

SHA512
048708da64d4fb7a04dda7d655b33cb3efa413f43e44f73643c8c95e68c7d6639dc137a75c950ccf817440c1e630765de8fce86fbfec911c605a596391b2989d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pmda.hes

Filesize
292KB

MD5
042b73b18e96dd8e5848507d7ac60ddc

SHA1
cc789c7fca70c7a2cb3666a4c691cfafa74f3cb2

SHA256
d5f12fabd9bab67d33cf3e26a325c7f720dc9d58b505605c5b17a2e26b7b7437

SHA512
8c9bd44c14960f587abc387fe817be479e02c2b7c503b849d441101f2f248460d0452040f646c1832b19a5690db47b43687250e295835abe7cee4900f0768969

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tirru.msc

Filesize
27.8MB

MD5
5ace2edc02b9593447201783c575402f

SHA1
75accdd4bf79d1720585baaa01cb4365d3b56d8e

SHA256
2dc5684bef3b689c53b73b4a30270b58a8e30cc7c298c0c70c9e31bc9262c687

SHA512
316cb3188576f43776ec92c9fc454745c0ff95baaa813576873b9a197ea739f46cdd696ae865d468aaa787f138d0da3c7333788d6ebe5f6abeae5e6f83850530

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C09.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\d5011100ca42dc188689c88b9f9f8a1d\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\innlltqdtq.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
memory/1592-56-0x00000000012A0000-0x00000000022A0000-memory.dmp

Filesize
16.0MB

Download
memory/1592-64-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/1592-65-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/1592-151-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/1592-155-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/1592-63-0x00000000012A0000-0x00000000012D0000-memory.dmp

Filesize
192KB

Download
memory/1592-62-0x00000000012A0000-0x00000000022A0000-memory.dmp

Filesize
16.0MB

Download
memory/1592-60-0x00000000012A0000-0x00000000022A0000-memory.dmp

Filesize
16.0MB

Download
memory/1592-58-0x00000000012A0000-0x00000000022A0000-memory.dmp

Filesize
16.0MB

Download
memory/1592-222-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/1592-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1592-228-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download