Malware Analysis Report

2024-09-22 23:58

Sample ID 240417-x2s8ssch41
Target ess.pif
SHA256 f66d125ed2d2267ac2de3b7290b0abfa9a1b4265d04ed872a4d96888888d5296
Tags
rat asyncrat stormkitty evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f66d125ed2d2267ac2de3b7290b0abfa9a1b4265d04ed872a4d96888888d5296

Threat Level: Known bad

The file ess.pif was found to be: Known bad.

Malicious Activity Summary

rat asyncrat stormkitty evasion spyware stealer

StormKitty

Asyncrat family

Async RAT payload

AsyncRat

StormKitty payload

Async RAT payload

Sets file to hidden

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-17 19:21

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 19:21

Reported

2024-04-17 19:25

Platform

win11-20240412-en

Max time kernel

194s

Max time network

210s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ess.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ess.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ess.exe

"C:\Users\Admin\AppData\Local\Temp\ess.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB21A.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 162.212.154.8:41090 us1.localto.net tcp
US 162.212.154.8:41090 us1.localto.net tcp
US 162.212.154.8:41090 us1.localto.net tcp
US 162.212.154.8:41090 us1.localto.net tcp
US 162.212.154.8:41090 us1.localto.net tcp

Files

memory/640-0-0x0000000000AF0000-0x0000000000B00000-memory.dmp

memory/640-1-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp

memory/640-2-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB21A.tmp.bat

MD5 d0e49bce1b17ec0f634be98b1cb99a69
SHA1 617625f98f08174038d72b459dde6adb3d6a59b4
SHA256 cd8689f3241ea19125da6e3b99f2a6865abc677c6fa8e71b08dec0aea495ae27
SHA512 9fca0d14e2efc8c5cc7310ef3f9fc5c4f39c135fb8d2d5a0f6362aed20bc6b348bee57bb409fa1a097f52e542a4d79a9cd05f2e2c97be4e53e26b3be056d0595

memory/640-8-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\woah\$77woah.pif

MD5 a657e08819360c2d09a02900c1340cc1
SHA1 009c944d9182e96a4d1a67f09dbe2edd0864b068
SHA256 f66d125ed2d2267ac2de3b7290b0abfa9a1b4265d04ed872a4d96888888d5296
SHA512 0ef5ddc58e4d30d4df2200b18ac66671fb223924011854242e0702b89b75c9d1fa54ef88d9a133309f0c20e021ebe1d39a6626172f6e37c73b356f349d4405d9

memory/5556-12-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp

memory/5556-13-0x0000000001830000-0x0000000001840000-memory.dmp

memory/5556-14-0x000000001CDD0000-0x000000001CDE0000-memory.dmp

memory/5556-15-0x00007FFEC3420000-0x00007FFEC3EE2000-memory.dmp

memory/5556-16-0x0000000001830000-0x0000000001840000-memory.dmp

memory/5556-17-0x0000000001820000-0x000000000182E000-memory.dmp

memory/5556-20-0x000000001C9D0000-0x000000001C9FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp34D1.tmp.dat

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\tmp34D2.tmp.dat

MD5 14ccc9293153deacbb9a20ee8f6ff1b7
SHA1 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA256 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765