Overview

overview

10

Static

static

10

rockstar checker.exe

windows7-x64

10

rockstar checker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2024 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rockstar checker.exe

  • Size

    170KB

  • MD5

    1228851106e9f2178b56e9985014e243

  • SHA1

    5e3a4575bdaf68735c86c97a2df65624dfc999fb

  • SHA256

    e49259a6849bb633e25fae724da3ccfadfa710a7b19f59db18a24b8207e9c319

  • SHA512

    678d9982b410a535d3ea0c128ddafe2fd391759b0b6aa39ea101b9d1d66aad30089ea3c77ba63e81cf4b100d2ce14bb7aa85a1c74a97ca5aed478bcbc8495e69

  • SSDEEP

    3072:++STW8djpN6izj8mZwdJqutB+YDpqIPu/i9bVK2cJak6+Wp7:j8XN6W8mmHPtppXPSi9b4na

Score
10/10
asyncratstormkittydefaultratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5236702741:AAEYl0F5uVbja0ncy0sx9vJHGvygeGhNV9M/sendMessage?chat_id=775796924
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rockstar checker.exe
    "C:\Users\Admin\AppData\Local\Temp\rockstar checker.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:1256
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
            PID:3800
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            3⤵
              PID:4948
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              3⤵
                PID:4704
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:212

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\Browsers\Firefox\Bookmarks.txt
              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

              Download Submit
            • C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\System\Process.txt
              Filesize

              4KB

              MD5

              d14ffcabfabd2d512d97983a26cfcd89

              SHA1

              d02dca45b6df8777b98ed7a92e55547ba44eeeed

              SHA256

              57bf24b4d86e5353316e54f7ee77a94d2ba713aa7be14339d12d66c9d085d091

              SHA512

              e09f6741004ef3e5842c203fa2a83c6b3262b5b8df516abfebd7e0cbca7457087f0f3c477dfe8aa469270676b2d682a79a7b566afb030066847aaf5b47ee0e8e

              Download Submit
            • C:\Users\Admin\AppData\Local\de73380e6b8b17d5c65a360cbd97ee57\msgid.dat
              Filesize

              6B

              MD5

              15423a1d5823fc4fc4324db91cbd8b2a

              SHA1

              1f71426c883488513dfb91308bff0d95138ed94c

              SHA256

              f1706381c872f468a54aebc0cdea63a898d3ed5ba58a336b855655e84c53f6e9

              SHA512

              91c0e0cd27b15ac2c3e65385e1c75577a9ef4e7516c14eeca4e10949f2158975381afe9b557036777b49ebdb126872d6b0fd32f438c2b8e913b192230ab173a4

              Download Submit
            • memory/1408-152-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1408-3-0x0000000004B60000-0x0000000004BC6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/1408-2-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1408-0-0x00000000001D0000-0x0000000000200000-memory.dmp
              Filesize

              192KB

              Download
            • memory/1408-154-0x00000000056F0000-0x0000000005782000-memory.dmp
              Filesize

              584KB

              Download
            • memory/1408-155-0x0000000005D40000-0x00000000062E4000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/1408-159-0x00000000057F0000-0x00000000057FA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/1408-1-0x0000000075020000-0x00000000757D0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/1408-165-0x0000000005880000-0x0000000005892000-memory.dmp
              Filesize

              72KB

              Download
            • memory/1408-190-0x0000000075020000-0x00000000757D0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/1408-191-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1408-192-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
              Filesize

              64KB

              Download