Malware Analysis Report

2024-10-18 21:24

Sample ID 240320-n8jhhagb58
Target Serverv1.exe
SHA256 e25817f6fe634b116ec878c734495b848b68a56a12cb43181bc07d9da3be3835
Tags
asyncrat stormkitty default rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e25817f6fe634b116ec878c734495b848b68a56a12cb43181bc07d9da3be3835

Threat Level: Known bad

The file Serverv1.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default rat spyware stealer

AsyncRat

Stormkitty family

Async RAT payload

StormKitty payload

Asyncrat family

StormKitty

Reads user/profile data of web browsers

Looks up geolocation information via web service

Drops desktop.ini file(s)

Looks up external IP address via web service

Unsigned PE

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-20 12:03

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 12:03

Reported

2024-03-20 12:07

Platform

win10v2004-20240226-en

Max time kernel

158s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Serverv1.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
File created C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3048 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3048 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3048 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3048 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3048 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3048 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3048 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3048 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1704 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\Serverv1.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5016 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5016 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5016 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5016 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5016 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Serverv1.exe

"C:\Users\Admin\AppData\Local\Temp\Serverv1.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 149.154.167.220:443 api.telegram.org tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 75.134.221.88.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/1704-0-0x0000000000740000-0x0000000000772000-memory.dmp

memory/1704-1-0x0000000075110000-0x00000000758C0000-memory.dmp

memory/1704-2-0x00000000050F0000-0x0000000005100000-memory.dmp

memory/1704-3-0x0000000005270000-0x00000000052D6000-memory.dmp

C:\Users\Admin\AppData\Local\5ebf8879f5e766157b72a78c7a073672\Admin@MKDQUQPQ_en-US\System\Process.txt

MD5 10143d6b360f19c15e42c771e4203a52
SHA1 ad79d9dc4e51dd353f61f3a34684f467cb9e6cc6
SHA256 7a3768c688f25d3cdbc3869512c067f3648660d8275d51c55ed5c1c45f6b2fe8
SHA512 a3b86aaa8b69c9fddfcead1622c4c254682922b93264e086944817b8f1e9ada337e45154de3287c7baab0984bd0e2ccb1645e45b8482df7b53fce52e80e80230

memory/1704-154-0x00000000050F0000-0x0000000005100000-memory.dmp

memory/1704-156-0x0000000006090000-0x0000000006122000-memory.dmp

memory/1704-157-0x00000000066E0000-0x0000000006C84000-memory.dmp

memory/1704-161-0x0000000075110000-0x00000000758C0000-memory.dmp

memory/1704-162-0x00000000061B0000-0x00000000061BA000-memory.dmp

memory/1704-163-0x00000000050F0000-0x0000000005100000-memory.dmp

C:\Users\Admin\AppData\Local\14c7a52060ae13d63cf43467d962ab19\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/1704-169-0x0000000005650000-0x0000000005662000-memory.dmp

memory/1704-194-0x00000000050F0000-0x0000000005100000-memory.dmp

memory/936-195-0x00000138E4040000-0x00000138E4050000-memory.dmp

memory/936-211-0x00000138E4140000-0x00000138E4150000-memory.dmp

memory/936-227-0x00000138EC730000-0x00000138EC731000-memory.dmp

memory/936-228-0x00000138EC760000-0x00000138EC761000-memory.dmp

memory/936-229-0x00000138EC760000-0x00000138EC761000-memory.dmp

memory/936-230-0x00000138EC760000-0x00000138EC761000-memory.dmp

memory/936-231-0x00000138EC760000-0x00000138EC761000-memory.dmp

memory/936-232-0x00000138EC760000-0x00000138EC761000-memory.dmp

memory/936-233-0x00000138EC760000-0x00000138EC761000-memory.dmp

memory/936-234-0x00000138EC760000-0x00000138EC761000-memory.dmp

memory/936-235-0x00000138EC760000-0x00000138EC761000-memory.dmp

memory/936-236-0x00000138EC760000-0x00000138EC761000-memory.dmp

memory/936-237-0x00000138EC760000-0x00000138EC761000-memory.dmp

memory/936-238-0x00000138EC380000-0x00000138EC381000-memory.dmp

memory/936-239-0x00000138EC370000-0x00000138EC371000-memory.dmp

memory/936-241-0x00000138EC380000-0x00000138EC381000-memory.dmp

memory/936-244-0x00000138EC370000-0x00000138EC371000-memory.dmp

memory/936-247-0x00000138EC2B0000-0x00000138EC2B1000-memory.dmp

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

MD5 89c891803047aeb46ddbecb96f6aa300
SHA1 603c7e1ad219808a6680353fdd7454e16ad695fa
SHA256 2b5c6b9a356ee0c721f6faad137e52763e5dba7ce6658fdca7d99edf12644ceb
SHA512 0dfb264b9e8ed8ad14a7cb37fb8ee734cc75d8694eec0f5f8ad132bbb796183624bd8ef766da21c691a2a0d45f36057d39d2ef771c62607ee31a1d0fc81f0b28

memory/936-259-0x00000138EC4B0000-0x00000138EC4B1000-memory.dmp

memory/936-261-0x00000138EC4C0000-0x00000138EC4C1000-memory.dmp

memory/936-262-0x00000138EC4C0000-0x00000138EC4C1000-memory.dmp

memory/936-263-0x00000138EC5D0000-0x00000138EC5D1000-memory.dmp