asyncrat | 5273bfd8b4ea8c5ef1b3c758395e258a65031216b0f242ab5f46c8d363a8df8f

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
Size

990KB
MD5

3183ce80b52497d71f3f036141413c53
SHA1

079ea02e9ef218b2cbc4e4f99d1d904e739f8f59
SHA256

8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213
SHA512

d943eeba0795e38cf1a6951a2ff412e690dae8fd3f02718497797584e8e87936743fee129e5b6ac7bc0cf17ad7f3807147a28882e0b91552e2273aa2a5022d87
SSDEEP

24576:mTbBv5rUSvFpiZA9fuBGa6mXcqIAXiAZfzI6q:YBVNpyAFLAXiAZw

Score

10^/10

asyncrat stormkitty default rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2424-70-0x00000000013A0000-0x00000000023A0000-memory.dmp	family_stormkitty
behavioral1/memory/2424-72-0x00000000013A0000-0x00000000023A0000-memory.dmp	family_stormkitty
behavioral1/memory/2424-74-0x00000000013A0000-0x00000000023A0000-memory.dmp	family_stormkitty
behavioral1/memory/2424-75-0x00000000013A0000-0x00000000013D0000-memory.dmp	family_stormkitty
behavioral1/memory/2424-77-0x000000000FB10000-0x000000000FB50000-memory.dmp	family_stormkitty

Executes dropped EXE 1 IoCs

Processes:

bexoqmp.msc

pid process

1852 bexoqmp.msc
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2816 cmd.exe

pid	process
2816	cmd.exe

Drops desktop.ini file(s) 5 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\2315534462a64d82d5b19a8f42ac53e5\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\2315534462a64d82d5b19a8f42ac53e5\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\2315534462a64d82d5b19a8f42ac53e5\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Local\2315534462a64d82d5b19a8f42ac53e5\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\2315534462a64d82d5b19a8f42ac53e5\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

bexoqmp.msc

description pid process target process

PID 1852 set thread context of 2424 1852 bexoqmp.msc RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	icanhazip.com

description	pid	process	target process
PID 1852 set thread context of 2424	1852	bexoqmp.msc	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegSvcs.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1688 ipconfig.exe
1516 ipconfig.exe

pid	process
1688	ipconfig.exe
1516	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

bexoqmp.mscRegSvcs.exe

pid	process
1852	bexoqmp.msc
1852	bexoqmp.msc
1852	bexoqmp.msc
1852	bexoqmp.msc
1852	bexoqmp.msc
1852	bexoqmp.msc
2424	RegSvcs.exe
2424	RegSvcs.exe
2424	RegSvcs.exe
2424	RegSvcs.exe
2424	RegSvcs.exe
2424	RegSvcs.exe
2424	RegSvcs.exe
2424	RegSvcs.exe
2424	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2424 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2424	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exeWScript.execmd.execmd.exebexoqmp.msccmd.exeRegSvcs.execmd.execmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 2504	1640	8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe	WScript.exe
PID 1640 wrote to memory of 2504	1640	8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe	WScript.exe
PID 1640 wrote to memory of 2504	1640	8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe	WScript.exe
PID 1640 wrote to memory of 2504	1640	8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe	WScript.exe
PID 2504 wrote to memory of 2800	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 2800	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 2800	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 2800	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 2816	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 2816	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 2816	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 2816	2504	WScript.exe	cmd.exe
PID 2800 wrote to memory of 1688	2800	cmd.exe	ipconfig.exe
PID 2800 wrote to memory of 1688	2800	cmd.exe	ipconfig.exe
PID 2800 wrote to memory of 1688	2800	cmd.exe	ipconfig.exe
PID 2800 wrote to memory of 1688	2800	cmd.exe	ipconfig.exe
PID 2816 wrote to memory of 1852	2816	cmd.exe	bexoqmp.msc
PID 2816 wrote to memory of 1852	2816	cmd.exe	bexoqmp.msc
PID 2816 wrote to memory of 1852	2816	cmd.exe	bexoqmp.msc
PID 2816 wrote to memory of 1852	2816	cmd.exe	bexoqmp.msc
PID 1852 wrote to memory of 2424	1852	bexoqmp.msc	RegSvcs.exe
PID 1852 wrote to memory of 2424	1852	bexoqmp.msc	RegSvcs.exe
PID 1852 wrote to memory of 2424	1852	bexoqmp.msc	RegSvcs.exe
PID 1852 wrote to memory of 2424	1852	bexoqmp.msc	RegSvcs.exe
PID 1852 wrote to memory of 2424	1852	bexoqmp.msc	RegSvcs.exe
PID 1852 wrote to memory of 2424	1852	bexoqmp.msc	RegSvcs.exe
PID 1852 wrote to memory of 2424	1852	bexoqmp.msc	RegSvcs.exe
PID 1852 wrote to memory of 2424	1852	bexoqmp.msc	RegSvcs.exe
PID 1852 wrote to memory of 2424	1852	bexoqmp.msc	RegSvcs.exe
PID 2504 wrote to memory of 2116	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 2116	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 2116	2504	WScript.exe	cmd.exe
PID 2504 wrote to memory of 2116	2504	WScript.exe	cmd.exe
PID 2116 wrote to memory of 1516	2116	cmd.exe	ipconfig.exe
PID 2116 wrote to memory of 1516	2116	cmd.exe	ipconfig.exe
PID 2116 wrote to memory of 1516	2116	cmd.exe	ipconfig.exe
PID 2116 wrote to memory of 1516	2116	cmd.exe	ipconfig.exe
PID 2424 wrote to memory of 2732	2424	RegSvcs.exe	cmd.exe
PID 2424 wrote to memory of 2732	2424	RegSvcs.exe	cmd.exe
PID 2424 wrote to memory of 2732	2424	RegSvcs.exe	cmd.exe
PID 2424 wrote to memory of 2732	2424	RegSvcs.exe	cmd.exe
PID 2732 wrote to memory of 2848	2732	cmd.exe	chcp.com
PID 2732 wrote to memory of 2848	2732	cmd.exe	chcp.com
PID 2732 wrote to memory of 2848	2732	cmd.exe	chcp.com
PID 2732 wrote to memory of 2848	2732	cmd.exe	chcp.com
PID 2732 wrote to memory of 712	2732	cmd.exe	netsh.exe
PID 2732 wrote to memory of 712	2732	cmd.exe	netsh.exe
PID 2732 wrote to memory of 712	2732	cmd.exe	netsh.exe
PID 2732 wrote to memory of 712	2732	cmd.exe	netsh.exe
PID 2732 wrote to memory of 1160	2732	cmd.exe	findstr.exe
PID 2732 wrote to memory of 1160	2732	cmd.exe	findstr.exe
PID 2732 wrote to memory of 1160	2732	cmd.exe	findstr.exe
PID 2732 wrote to memory of 1160	2732	cmd.exe	findstr.exe
PID 2424 wrote to memory of 2620	2424	RegSvcs.exe	cmd.exe
PID 2424 wrote to memory of 2620	2424	RegSvcs.exe	cmd.exe
PID 2424 wrote to memory of 2620	2424	RegSvcs.exe	cmd.exe
PID 2424 wrote to memory of 2620	2424	RegSvcs.exe	cmd.exe
PID 2620 wrote to memory of 356	2620	cmd.exe	chcp.com
PID 2620 wrote to memory of 356	2620	cmd.exe	chcp.com
PID 2620 wrote to memory of 356	2620	cmd.exe	chcp.com
PID 2620 wrote to memory of 356	2620	cmd.exe	chcp.com
PID 2620 wrote to memory of 832	2620	cmd.exe	netsh.exe
PID 2620 wrote to memory of 832	2620	cmd.exe	netsh.exe
PID 2620 wrote to memory of 832	2620	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
"C:\Users\Admin\AppData\Local\Temp\8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\drcb.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
3⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bexoqmp.msc upowiq.pdf
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bexoqmp.msc
bexoqmp.msc upowiq.pdf
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
6⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:2848

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
7⤵
PID:712

C:\Windows\SysWOW64\findstr.exe
findstr All
7⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
6⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:356

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
7⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
3⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
4⤵
- Gathers network information
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\6d9b744fe16486be68128b365ceb222e\msgid.dat
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9009.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MKBSLO~1.KXN
Filesize
292KB

MD5
042b73b18e96dd8e5848507d7ac60ddc

SHA1
cc789c7fca70c7a2cb3666a4c691cfafa74f3cb2

SHA256
d5f12fabd9bab67d33cf3e26a325c7f720dc9d58b505605c5b17a2e26b7b7437

SHA512
8c9bd44c14960f587abc387fe817be479e02c2b7c503b849d441101f2f248460d0452040f646c1832b19a5690db47b43687250e295835abe7cee4900f0768969

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\drcb.vbe
Filesize
90KB

MD5
6a617caaf126d1fc7fc4bdf3e8ec468d

SHA1
d7ee54ed66d134f30047679cf8cb7a99d53a8b28

SHA256
6684b536afdfdae359cc0dedd597430b55c647803ac2485d3897f1000414925e

SHA512
4a1823a53dd23df0cabb144e4acc2c4b0b8510999af43900ef3ef80c1521a81bd55578bb730d53170e5b69c396ecdc33caea4181e078127c84e6fd1650a3377e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rvci.mp2
Filesize
40KB

MD5
2041cdd68756274146293b51ec9bd2f6

SHA1
778868d05718d5fbb9626de0d297aea970ef931d

SHA256
a3070e606fc55fb4d38aa827e94c81ea7d557a1fc4569d26dd10f83664a655ca

SHA512
e56b2bf6dc55fabf9c3b978abcee43491ad3b4270d4d9baec39b0ee1f39fa3aee19b688aafb375741e455a501284464ce6734bb399f6e8b812c3994b64c6bc97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\upowiq.pdf
Filesize
73.4MB

MD5
07928a871521cd820875966bbaeb1fe9

SHA1
b9c1586bdc3fde0d3d04d89677ec77ebf82b529b

SHA256
592653e529707ee392aeb412f50920fe62575fc41875039d9cd15de45dfe9623

SHA512
fc2bb009a275640484a2198560a78382df35b0841b3ad86c5fecf211078dd8e4abbe3a5d3ac636dc4c6630f130ba83d61647c1e801679f5ed2e32e31d416e383

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9157.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\bexoqmp.msc
Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
memory/2424-68-0x00000000013A0000-0x00000000023A0000-memory.dmp

Filesize
16.0MB

Download
memory/2424-75-0x00000000013A0000-0x00000000013D0000-memory.dmp

Filesize
192KB

Download
memory/2424-76-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-77-0x000000000FB10000-0x000000000FB50000-memory.dmp

Filesize
256KB

Download
memory/2424-145-0x000000000FB10000-0x000000000FB50000-memory.dmp

Filesize
256KB

Download
memory/2424-74-0x00000000013A0000-0x00000000023A0000-memory.dmp

Filesize
16.0MB

Download
memory/2424-72-0x00000000013A0000-0x00000000023A0000-memory.dmp

Filesize
16.0MB

Download
memory/2424-70-0x00000000013A0000-0x00000000023A0000-memory.dmp

Filesize
16.0MB

Download
memory/2424-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2424-254-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-255-0x000000000FB10000-0x000000000FB50000-memory.dmp

Filesize
256KB

Download
memory/2424-256-0x000000000FB10000-0x000000000FB50000-memory.dmp

Filesize
256KB

Download