Analysis
-
max time kernel
146s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 12:44
Behavioral task
behavioral1
Sample
rockstar checker.exe
Resource
win7-20240221-en
General
-
Target
rockstar checker.exe
-
Size
170KB
-
MD5
1228851106e9f2178b56e9985014e243
-
SHA1
5e3a4575bdaf68735c86c97a2df65624dfc999fb
-
SHA256
e49259a6849bb633e25fae724da3ccfadfa710a7b19f59db18a24b8207e9c319
-
SHA512
678d9982b410a535d3ea0c128ddafe2fd391759b0b6aa39ea101b9d1d66aad30089ea3c77ba63e81cf4b100d2ce14bb7aa85a1c74a97ca5aed478bcbc8495e69
-
SSDEEP
3072:++STW8djpN6izj8mZwdJqutB+YDpqIPu/i9bVK2cJak6+Wp7:j8XN6W8mmHPtppXPSi9b4na
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5236702741:AAEYl0F5uVbja0ncy0sx9vJHGvygeGhNV9M/sendMessage?chat_id=775796924
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1408-0-0x00000000001D0000-0x0000000000200000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
Processes:
rockstar checker.exedescription ioc process File created C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini rockstar checker.exe File created C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini rockstar checker.exe File opened for modification C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini rockstar checker.exe File opened for modification C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini rockstar checker.exe File created C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini rockstar checker.exe File created C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini rockstar checker.exe File created C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini rockstar checker.exe File created C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini rockstar checker.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rockstar checker.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 rockstar checker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rockstar checker.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
rockstar checker.exepid process 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe 1408 rockstar checker.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rockstar checker.exedescription pid process Token: SeDebugPrivilege 1408 rockstar checker.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
rockstar checker.execmd.execmd.exedescription pid process target process PID 1408 wrote to memory of 940 1408 rockstar checker.exe cmd.exe PID 1408 wrote to memory of 940 1408 rockstar checker.exe cmd.exe PID 1408 wrote to memory of 940 1408 rockstar checker.exe cmd.exe PID 940 wrote to memory of 1256 940 cmd.exe chcp.com PID 940 wrote to memory of 1256 940 cmd.exe chcp.com PID 940 wrote to memory of 1256 940 cmd.exe chcp.com PID 940 wrote to memory of 3800 940 cmd.exe netsh.exe PID 940 wrote to memory of 3800 940 cmd.exe netsh.exe PID 940 wrote to memory of 3800 940 cmd.exe netsh.exe PID 940 wrote to memory of 4948 940 cmd.exe findstr.exe PID 940 wrote to memory of 4948 940 cmd.exe findstr.exe PID 940 wrote to memory of 4948 940 cmd.exe findstr.exe PID 1408 wrote to memory of 2700 1408 rockstar checker.exe cmd.exe PID 1408 wrote to memory of 2700 1408 rockstar checker.exe cmd.exe PID 1408 wrote to memory of 2700 1408 rockstar checker.exe cmd.exe PID 2700 wrote to memory of 4704 2700 cmd.exe chcp.com PID 2700 wrote to memory of 4704 2700 cmd.exe chcp.com PID 2700 wrote to memory of 4704 2700 cmd.exe chcp.com PID 2700 wrote to memory of 212 2700 cmd.exe netsh.exe PID 2700 wrote to memory of 212 2700 cmd.exe netsh.exe PID 2700 wrote to memory of 212 2700 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rockstar checker.exe"C:\Users\Admin\AppData\Local\Temp\rockstar checker.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\8e8b39338da1916c52b7f40aaa9b9d28\Admin@JESBHZTW_en-US\System\Process.txtFilesize
4KB
MD5d14ffcabfabd2d512d97983a26cfcd89
SHA1d02dca45b6df8777b98ed7a92e55547ba44eeeed
SHA25657bf24b4d86e5353316e54f7ee77a94d2ba713aa7be14339d12d66c9d085d091
SHA512e09f6741004ef3e5842c203fa2a83c6b3262b5b8df516abfebd7e0cbca7457087f0f3c477dfe8aa469270676b2d682a79a7b566afb030066847aaf5b47ee0e8e
-
C:\Users\Admin\AppData\Local\de73380e6b8b17d5c65a360cbd97ee57\msgid.datFilesize
6B
MD515423a1d5823fc4fc4324db91cbd8b2a
SHA11f71426c883488513dfb91308bff0d95138ed94c
SHA256f1706381c872f468a54aebc0cdea63a898d3ed5ba58a336b855655e84c53f6e9
SHA51291c0e0cd27b15ac2c3e65385e1c75577a9ef4e7516c14eeca4e10949f2158975381afe9b557036777b49ebdb126872d6b0fd32f438c2b8e913b192230ab173a4
-
memory/1408-152-0x0000000004CC0000-0x0000000004CD0000-memory.dmpFilesize
64KB
-
memory/1408-3-0x0000000004B60000-0x0000000004BC6000-memory.dmpFilesize
408KB
-
memory/1408-2-0x0000000004CC0000-0x0000000004CD0000-memory.dmpFilesize
64KB
-
memory/1408-0-0x00000000001D0000-0x0000000000200000-memory.dmpFilesize
192KB
-
memory/1408-154-0x00000000056F0000-0x0000000005782000-memory.dmpFilesize
584KB
-
memory/1408-155-0x0000000005D40000-0x00000000062E4000-memory.dmpFilesize
5.6MB
-
memory/1408-159-0x00000000057F0000-0x00000000057FA000-memory.dmpFilesize
40KB
-
memory/1408-1-0x0000000075020000-0x00000000757D0000-memory.dmpFilesize
7.7MB
-
memory/1408-165-0x0000000005880000-0x0000000005892000-memory.dmpFilesize
72KB
-
memory/1408-190-0x0000000075020000-0x00000000757D0000-memory.dmpFilesize
7.7MB
-
memory/1408-191-0x0000000004CC0000-0x0000000004CD0000-memory.dmpFilesize
64KB
-
memory/1408-192-0x0000000004CC0000-0x0000000004CD0000-memory.dmpFilesize
64KB