asyncrat | d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe
Size

1006KB
MD5

9b37096274af2542b2e8e5460a32ad92
SHA1

fd1bd3fe73844de5f69dfc4b42e9f40aa4395308
SHA256

d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a
SHA512

2297155b35eadd6d0fcad613d954558f116c9ff660ce7470f428123a99840747056e8648d51c31b86ccd900ace9075f4888e47dd9cac8dc228f40c21e49de994
SSDEEP

24576:2TbBv5rUDKoU7LEoW9MZBGa6mXcqIAXiAZfzI6l:IBUUPEjKGLAXiAZz

Score

10^/10

asyncrat stormkitty default rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/memory/3888-55-0x0000000001390000-0x0000000002390000-memory.dmp	family_stormkitty
behavioral2/memory/3888-57-0x0000000001390000-0x00000000013C0000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
212	innlltqdtq.exe

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 3888	212	innlltqdtq.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegSvcs.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1696	ipconfig.exe
816	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
212	innlltqdtq.exe
212	innlltqdtq.exe
212	innlltqdtq.exe
212	innlltqdtq.exe
212	innlltqdtq.exe
212	innlltqdtq.exe
212	innlltqdtq.exe
212	innlltqdtq.exe
212	innlltqdtq.exe
212	innlltqdtq.exe
212	innlltqdtq.exe
212	innlltqdtq.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	RegSvcs.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 4500	3756	d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe	102
PID 3756 wrote to memory of 4500	3756	d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe	102
PID 3756 wrote to memory of 4500	3756	d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe	102
PID 4500 wrote to memory of 1624	4500	WScript.exe	103
PID 4500 wrote to memory of 1624	4500	WScript.exe	103
PID 4500 wrote to memory of 1624	4500	WScript.exe	103
PID 4500 wrote to memory of 3492	4500	WScript.exe	104
PID 4500 wrote to memory of 3492	4500	WScript.exe	104
PID 4500 wrote to memory of 3492	4500	WScript.exe	104
PID 1624 wrote to memory of 1696	1624	cmd.exe	107
PID 1624 wrote to memory of 1696	1624	cmd.exe	107
PID 1624 wrote to memory of 1696	1624	cmd.exe	107
PID 3492 wrote to memory of 212	3492	cmd.exe	108
PID 3492 wrote to memory of 212	3492	cmd.exe	108
PID 3492 wrote to memory of 212	3492	cmd.exe	108
PID 4500 wrote to memory of 724	4500	WScript.exe	111
PID 4500 wrote to memory of 724	4500	WScript.exe	111
PID 4500 wrote to memory of 724	4500	WScript.exe	111
PID 724 wrote to memory of 816	724	cmd.exe	113
PID 724 wrote to memory of 816	724	cmd.exe	113
PID 724 wrote to memory of 816	724	cmd.exe	113
PID 212 wrote to memory of 3888	212	innlltqdtq.exe	114
PID 212 wrote to memory of 3888	212	innlltqdtq.exe	114
PID 212 wrote to memory of 3888	212	innlltqdtq.exe	114
PID 212 wrote to memory of 3888	212	innlltqdtq.exe	114
PID 212 wrote to memory of 3888	212	innlltqdtq.exe	114
PID 3888 wrote to memory of 1900	3888	RegSvcs.exe	124
PID 3888 wrote to memory of 1900	3888	RegSvcs.exe	124
PID 3888 wrote to memory of 1900	3888	RegSvcs.exe	124
PID 1900 wrote to memory of 3732	1900	cmd.exe	126
PID 1900 wrote to memory of 3732	1900	cmd.exe	126
PID 1900 wrote to memory of 3732	1900	cmd.exe	126
PID 1900 wrote to memory of 4508	1900	cmd.exe	127
PID 1900 wrote to memory of 4508	1900	cmd.exe	127
PID 1900 wrote to memory of 4508	1900	cmd.exe	127
PID 1900 wrote to memory of 1612	1900	cmd.exe	128
PID 1900 wrote to memory of 1612	1900	cmd.exe	128
PID 1900 wrote to memory of 1612	1900	cmd.exe	128
PID 3888 wrote to memory of 648	3888	RegSvcs.exe	130
PID 3888 wrote to memory of 648	3888	RegSvcs.exe	130
PID 3888 wrote to memory of 648	3888	RegSvcs.exe	130
PID 648 wrote to memory of 216	648	cmd.exe	132
PID 648 wrote to memory of 216	648	cmd.exe	132
PID 648 wrote to memory of 216	648	cmd.exe	132
PID 648 wrote to memory of 3668	648	cmd.exe	133
PID 648 wrote to memory of 3668	648	cmd.exe	133
PID 648 wrote to memory of 3668	648	cmd.exe	133

C:\Users\Admin\AppData\Local\Temp\d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe
"C:\Users\Admin\AppData\Local\Temp\d5957803eb8a1c83dd84f7d08d431c9ad3a7e3c29814f8b46b805083f5b4899a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\dgmc.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c innlltqdtq.exe tirru.msc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\innlltqdtq.exe
      innlltqdtq.exe tirru.msc
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:212
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3208 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dgmc.vbe

Filesize
61KB

MD5
223e418a5069dfcfb8d61f5b4519a123

SHA1
9d68dec1ac850812890321e836c9dfd207409776

SHA256
dbb4a26b43ad9039c07a966522f664ff9d95511d36e35c7f8b7b233e8bbbbd84

SHA512
d25d601e14ba9506c2423c2dd37770436fa894bc26d55b9bbae7bdb77846a6c96d9717f0e4605f72a6e20f327b0079aac6f0c129885e62b2ecd2412b67f13fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\innlltqdtq.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jmsfmvjc.3gp

Filesize
42KB

MD5
802a42df47211020f63e3a050b3dbcd8

SHA1
b7037c56899d4032c5fbfaf3b54d202cbf415615

SHA256
52904d235ea9092b2a021827b3249a954e800931c8e44b067fb79bb8887496f7

SHA512
048708da64d4fb7a04dda7d655b33cb3efa413f43e44f73643c8c95e68c7d6639dc137a75c950ccf817440c1e630765de8fce86fbfec911c605a596391b2989d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pmda.hes

Filesize
292KB

MD5
042b73b18e96dd8e5848507d7ac60ddc

SHA1
cc789c7fca70c7a2cb3666a4c691cfafa74f3cb2

SHA256
d5f12fabd9bab67d33cf3e26a325c7f720dc9d58b505605c5b17a2e26b7b7437

SHA512
8c9bd44c14960f587abc387fe817be479e02c2b7c503b849d441101f2f248460d0452040f646c1832b19a5690db47b43687250e295835abe7cee4900f0768969

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tirru.msc

Filesize
9.9MB

MD5
e8dfcdd500284f9f73b272ec8e476c6e

SHA1
569b2a004b52be018b77999c928f526bb89d45e8

SHA256
f9f2e535cce94a5851371d573da51e72ab78ee20924e34dabbf655831306ab6d

SHA512
3f06fa46a6b7e97b90b1bb8fa92566e47b22a6b51e6c04eef0bca2d4df41241be61e72dac181cc12c46a26685108f75877efb2cea06ef52d004fbf3b26f99fd3

Download Submit
C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\Admin@OAILVCNY_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\Admin@OAILVCNY_en-US\System\Process.txt

Filesize
4KB

MD5
a890f2fffa1286effce94aa55ca2596d

SHA1
7d07d672e4156aea1cfa20f0d684ef726147c4b6

SHA256
d36e0621419328daeb5178d5620c0f6435a1568b9a0cce143e20aab779fb0ae7

SHA512
ca31b2902f9aa594be3b8283c8d354c667c1a219f61bf9ee19919b9335b73178f7d40fb69dbe97c6f7f8ca9dffb569cbfe867d91bdc352be6d88a778c7628319

Download Submit
C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/3888-78-0x0000000071E20000-0x00000000725D0000-memory.dmp

Filesize
7.7MB

Download
memory/3888-77-0x000000000C8A0000-0x000000000C906000-memory.dmp

Filesize
408KB

Download
memory/3888-58-0x000000000C520000-0x000000000C530000-memory.dmp

Filesize
64KB

Download
memory/3888-79-0x000000000C520000-0x000000000C530000-memory.dmp

Filesize
64KB

Download
memory/3888-57-0x0000000001390000-0x00000000013C0000-memory.dmp

Filesize
192KB

Download
memory/3888-56-0x0000000071E20000-0x00000000725D0000-memory.dmp

Filesize
7.7MB

Download
memory/3888-232-0x000000000C520000-0x000000000C530000-memory.dmp

Filesize
64KB

Download
memory/3888-234-0x000000000D3B0000-0x000000000D442000-memory.dmp

Filesize
584KB

Download
memory/3888-235-0x000000000DA00000-0x000000000DFA4000-memory.dmp

Filesize
5.6MB

Download
memory/3888-239-0x000000000CC70000-0x000000000CC7A000-memory.dmp

Filesize
40KB

Download
memory/3888-55-0x0000000001390000-0x0000000002390000-memory.dmp

Filesize
16.0MB

Download
memory/3888-245-0x000000000C520000-0x000000000C530000-memory.dmp

Filesize
64KB

Download