asyncrat | 5273bfd8b4ea8c5ef1b3c758395e258a65031216b0f242ab5f46c8d363a8df8f

General

Target

8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
Size

990KB
MD5

3183ce80b52497d71f3f036141413c53
SHA1

079ea02e9ef218b2cbc4e4f99d1d904e739f8f59
SHA256

8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213
SHA512

d943eeba0795e38cf1a6951a2ff412e690dae8fd3f02718497797584e8e87936743fee129e5b6ac7bc0cf17ad7f3807147a28882e0b91552e2273aa2a5022d87
SSDEEP

24576:mTbBv5rUSvFpiZA9fuBGa6mXcqIAXiAZfzI6q:YBVNpyAFLAXiAZw

Score

10^/10

asyncrat stormkitty default rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1036-67-0x0000000000BB0000-0x0000000001BB0000-memory.dmp	family_stormkitty
behavioral2/memory/1036-68-0x0000000000BB0000-0x0000000000BE0000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

bexoqmp.msc

pid process

1056 bexoqmp.msc

Drops desktop.ini file(s) 8 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RegSvcs.exe
File created	C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

bexoqmp.msc

description pid process target process

PID 1056 set thread context of 1036 1056 bexoqmp.msc RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
31	icanhazip.com

description	pid	process	target process
PID 1056 set thread context of 1036	1056	bexoqmp.msc	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegSvcs.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1400 ipconfig.exe
2256 ipconfig.exe

pid	process
1400	ipconfig.exe
2256	ipconfig.exe

Modifies registry class 1 IoCs

Processes:

8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

bexoqmp.mscRegSvcs.exe

pid	process
1056	bexoqmp.msc
1056	bexoqmp.msc
1056	bexoqmp.msc
1056	bexoqmp.msc
1056	bexoqmp.msc
1056	bexoqmp.msc
1056	bexoqmp.msc
1056	bexoqmp.msc
1056	bexoqmp.msc
1056	bexoqmp.msc
1056	bexoqmp.msc
1056	bexoqmp.msc
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe
1036	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1036 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1036	RegSvcs.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exeWScript.execmd.execmd.exebexoqmp.msccmd.exeRegSvcs.execmd.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 2916	1792	8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe	WScript.exe
PID 1792 wrote to memory of 2916	1792	8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe	WScript.exe
PID 1792 wrote to memory of 2916	1792	8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe	WScript.exe
PID 2916 wrote to memory of 1444	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 1444	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 1444	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 3908	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 3908	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 3908	2916	WScript.exe	cmd.exe
PID 1444 wrote to memory of 1400	1444	cmd.exe	ipconfig.exe
PID 1444 wrote to memory of 1400	1444	cmd.exe	ipconfig.exe
PID 1444 wrote to memory of 1400	1444	cmd.exe	ipconfig.exe
PID 3908 wrote to memory of 1056	3908	cmd.exe	bexoqmp.msc
PID 3908 wrote to memory of 1056	3908	cmd.exe	bexoqmp.msc
PID 3908 wrote to memory of 1056	3908	cmd.exe	bexoqmp.msc
PID 1056 wrote to memory of 1036	1056	bexoqmp.msc	RegSvcs.exe
PID 1056 wrote to memory of 1036	1056	bexoqmp.msc	RegSvcs.exe
PID 1056 wrote to memory of 1036	1056	bexoqmp.msc	RegSvcs.exe
PID 1056 wrote to memory of 1036	1056	bexoqmp.msc	RegSvcs.exe
PID 1056 wrote to memory of 1036	1056	bexoqmp.msc	RegSvcs.exe
PID 2916 wrote to memory of 800	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 800	2916	WScript.exe	cmd.exe
PID 2916 wrote to memory of 800	2916	WScript.exe	cmd.exe
PID 800 wrote to memory of 2256	800	cmd.exe	ipconfig.exe
PID 800 wrote to memory of 2256	800	cmd.exe	ipconfig.exe
PID 800 wrote to memory of 2256	800	cmd.exe	ipconfig.exe
PID 1036 wrote to memory of 1788	1036	RegSvcs.exe	cmd.exe
PID 1036 wrote to memory of 1788	1036	RegSvcs.exe	cmd.exe
PID 1036 wrote to memory of 1788	1036	RegSvcs.exe	cmd.exe
PID 1788 wrote to memory of 3476	1788	cmd.exe	chcp.com
PID 1788 wrote to memory of 3476	1788	cmd.exe	chcp.com
PID 1788 wrote to memory of 3476	1788	cmd.exe	chcp.com
PID 1788 wrote to memory of 2632	1788	cmd.exe	netsh.exe
PID 1788 wrote to memory of 2632	1788	cmd.exe	netsh.exe
PID 1788 wrote to memory of 2632	1788	cmd.exe	netsh.exe
PID 1788 wrote to memory of 4848	1788	cmd.exe	findstr.exe
PID 1788 wrote to memory of 4848	1788	cmd.exe	findstr.exe
PID 1788 wrote to memory of 4848	1788	cmd.exe	findstr.exe
PID 1036 wrote to memory of 1372	1036	RegSvcs.exe	cmd.exe
PID 1036 wrote to memory of 1372	1036	RegSvcs.exe	cmd.exe
PID 1036 wrote to memory of 1372	1036	RegSvcs.exe	cmd.exe
PID 1372 wrote to memory of 1864	1372	cmd.exe	chcp.com
PID 1372 wrote to memory of 1864	1372	cmd.exe	chcp.com
PID 1372 wrote to memory of 1864	1372	cmd.exe	chcp.com
PID 1372 wrote to memory of 712	1372	cmd.exe	netsh.exe
PID 1372 wrote to memory of 712	1372	cmd.exe	netsh.exe
PID 1372 wrote to memory of 712	1372	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe
"C:\Users\Admin\AppData\Local\Temp\8ec50ee4a15519c0be0d0f8f65f9d8d4f13a98e6b72c9e0eeabc4d984524d213.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\drcb.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
3⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bexoqmp.msc upowiq.pdf
3⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bexoqmp.msc
bexoqmp.msc upowiq.pdf
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
6⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:3476

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
7⤵
PID:2632

C:\Windows\SysWOW64\findstr.exe
findstr All
7⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
6⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:1864

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
7⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
3⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
4⤵
- Gathers network information
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8141045e2d3d9c3700feea48781b82ee\Admin@QUBJEIMO_en-US\System\Process.txt
Filesize
4KB

MD5
ec49c0e413361db687eb39937dcb7cb8

SHA1
467f4b59b820567c1d70eaa5ba0d3d9dd8440744

SHA256
1f750037120f248cc27ae29db9a1b15762ca93f56f4782728eb0daa1662de741

SHA512
99ec16e13402a1b07bdeb39d858b29dcbfce32f22a153b4b724f07133495a5407623d6873811125fb28f07a13ac197df7255d1d1ceed3e5c580215033fac58ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MKBSLO~1.KXN
Filesize
292KB

MD5
042b73b18e96dd8e5848507d7ac60ddc

SHA1
cc789c7fca70c7a2cb3666a4c691cfafa74f3cb2

SHA256
d5f12fabd9bab67d33cf3e26a325c7f720dc9d58b505605c5b17a2e26b7b7437

SHA512
8c9bd44c14960f587abc387fe817be479e02c2b7c503b849d441101f2f248460d0452040f646c1832b19a5690db47b43687250e295835abe7cee4900f0768969

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bexoqmp.msc
Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\drcb.vbe
Filesize
90KB

MD5
6a617caaf126d1fc7fc4bdf3e8ec468d

SHA1
d7ee54ed66d134f30047679cf8cb7a99d53a8b28

SHA256
6684b536afdfdae359cc0dedd597430b55c647803ac2485d3897f1000414925e

SHA512
4a1823a53dd23df0cabb144e4acc2c4b0b8510999af43900ef3ef80c1521a81bd55578bb730d53170e5b69c396ecdc33caea4181e078127c84e6fd1650a3377e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rvci.mp2
Filesize
40KB

MD5
2041cdd68756274146293b51ec9bd2f6

SHA1
778868d05718d5fbb9626de0d297aea970ef931d

SHA256
a3070e606fc55fb4d38aa827e94c81ea7d557a1fc4569d26dd10f83664a655ca

SHA512
e56b2bf6dc55fabf9c3b978abcee43491ad3b4270d4d9baec39b0ee1f39fa3aee19b688aafb375741e455a501284464ce6734bb399f6e8b812c3994b64c6bc97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\upowiq.pdf
Filesize
73.4MB

MD5
07928a871521cd820875966bbaeb1fe9

SHA1
b9c1586bdc3fde0d3d04d89677ec77ebf82b529b

SHA256
592653e529707ee392aeb412f50920fe62575fc41875039d9cd15de45dfe9623

SHA512
fc2bb009a275640484a2198560a78382df35b0841b3ad86c5fecf211078dd8e4abbe3a5d3ac636dc4c6630f130ba83d61647c1e801679f5ed2e32e31d416e383

Download Submit
C:\Users\Admin\AppData\Local\c6940476c219e6add8b8f1f718134d01\msgid.dat
Filesize
4B

MD5
5d79099fcdf499f12b79770834c0164a

SHA1
a0a82ebdd4a855c999b56ce855a244a672dcafff

SHA256
c2f61742e5f0ef0a74c5fcbeff7ff659def91bf4b5f1e175943a0b075c82058b

SHA512
06cfa49342a41a510897626740a154bf5fb3afdad66cc778c619a15326905de12f0c945d8ba58d00e696b9860ce54952ef0768823a6ef4a1804fe1f035086fa9

Download Submit
memory/1036-67-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download
memory/1036-70-0x0000000011740000-0x0000000011750000-memory.dmp

Filesize
64KB

Download
memory/1036-71-0x0000000011900000-0x0000000011966000-memory.dmp

Filesize
408KB

Download
memory/1036-68-0x0000000000BB0000-0x0000000000BE0000-memory.dmp

Filesize
192KB

Download
memory/1036-242-0x0000000011740000-0x0000000011750000-memory.dmp

Filesize
64KB

Download
memory/1036-244-0x0000000012260000-0x00000000122F2000-memory.dmp

Filesize
584KB

Download
memory/1036-245-0x00000000128B0000-0x0000000012E54000-memory.dmp

Filesize
5.6MB

Download
memory/1036-249-0x0000000012380000-0x000000001238A000-memory.dmp

Filesize
40KB

Download
memory/1036-250-0x0000000072610000-0x0000000072DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1036-69-0x0000000072610000-0x0000000072DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1036-256-0x00000000123D0000-0x00000000123E2000-memory.dmp

Filesize
72KB

Download
memory/1036-279-0x0000000011740000-0x0000000011750000-memory.dmp

Filesize
64KB

Download
memory/1036-281-0x0000000011740000-0x0000000011750000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads