Analysis

  • max time kernel
    93s
  • max time network
    80s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-fr
  • resource tags

    arch:x64arch:x86image:win10-20240404-frlocale:fr-fros:windows10-1703-x64systemwindows
  • submitted
    27-04-2024 11:57

General

  • Target

    Paid Combo Tools/Paid combo Tools.exe

  • Size

    1.3MB

  • MD5

    805ecd51386773aeec776cf15d78ef0f

  • SHA1

    d16204be4bfda5563ccf2aed038a8c11826a2119

  • SHA256

    105b24a1aff3552fd265ed4fc5af8c0266fd7d31a81b3033120020a62304e604

  • SHA512

    47cac5f76e2a20ec14cf8dac56247816ee019106ceceb5a977805c7d8bb3cb3f8eb0c57981483094adcc4da9281d05a3403a1092e26265c5ef991effafae29ee

  • SSDEEP

    24576:XveKmWCVMoQ3x99e/xz5DokDsIeKmWCVMoQ3x99e/xz5DokDseEKmeKmWCVMoQ3G:XvjFF3x9k/x5kkDDjFF3x9k/x5kkDiKv

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6003478563:AAG3aliPXpD1ZldBFn1R2thp1ARU2PprMtU/sendMessage?chat_id=6052812018

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Async RAT payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe
    "C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Program Files (x86)\COMBO LIST TOOLS.EXE
      "C:\Program Files (x86)\COMBO LIST TOOLS.EXE"
      2⤵
      • Executes dropped EXE
      PID:4148
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 900
        3⤵
        • Program crash
        PID:2824
    • C:\Program Files (x86)\PRIVATE CHECKER.EXE
      "C:\Program Files (x86)\PRIVATE CHECKER.EXE"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:5104
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:2116
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:3720
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:8
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:3584
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:2840
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Program Files (x86)\PRIVATE CHECKER.EXE"
                  3⤵
                  • Creates scheduled task(s)
                  PID:316

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Execution

            Scheduled Task/Job

            1
            T1053

            Persistence

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Scheduled Task/Job

            1
            T1053

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            System Information Discovery

            2
            T1082

            Query Registry

            1
            T1012

            Collection

            Data from Local System

            1
            T1005

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\COMBO LIST TOOLS.EXE
              Filesize

              825KB

              MD5

              de1c74b3096e1c1bf7373dd88afa9acf

              SHA1

              6bd8f04e8f1594802e298ac57d55d5bf3787e8f8

              SHA256

              c4986d1e40fbf336e46fb9b70cf05befa222f04c27b406435a110d16e3c17836

              SHA512

              dcb37164782e91568763ba5822233c42c21c4ff3822f944f2027f91732cd205ccfac8d3ea4e4ab9d79c7994c0adf61c0c3a9cf55d1687a3aec39e00dd3b554bf

            • C:\Program Files (x86)\PRIVATE CHECKER.EXE
              Filesize

              175KB

              MD5

              7f4680b1d2a029e070ed7418660c459b

              SHA1

              d0c77596dd6cd21e0953c058b7dc78ed6d292fbf

              SHA256

              f802ffd8e77365dcd2e55b567f10513a98e3117b6601fd1a48b41572ece82f3f

              SHA512

              56e70beb5721ecbb15e4551078940b8e94d0fc7658236f874051e2383a656f6b3d48b87aa74879d35bc6f1878c860035acd11f4d3df2fd1afebd7a583eb9ab04

            • C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\System\Process.txt
              Filesize

              4KB

              MD5

              6d0d0799b8b15f71c97757224e912752

              SHA1

              2a93f292ebf38b68217c78beb2d180b8f5d1b780

              SHA256

              bdfe7553ff0b38a1f8a4a6bddd38ce84e13b663c9d8b919e3cfcd956a37bc0f4

              SHA512

              43ac95a97ce486978b3c3945392e09c135ff7d6b5f6e6169bcdbe2158790a78e322ea481bb2998c4121e512ee8cf4ab97dc77bd38d903350776eb82c7c134c91

            • C:\Users\Admin\AppData\Local\8b741d72f02884d5db39d33a5fbf3fcd\msgid.dat
              Filesize

              6B

              MD5

              58aa19b2723cd2f486a0d2f2f065b176

              SHA1

              52e9f3502a3af8e746b79fad539ce5cf28727b7f

              SHA256

              8759256b1d0538b15f10ea0b1e8539f08806b18ffa91fc1c9cacf07c1cb93dc8

              SHA512

              5f927dbf3dc5f6610524a7510e232c4598aba0c5951514fdbfb3b0245e5248b5e93920fe6b7f84adb1e058fc00df761718731b763f84e09f3ebd19aabc8ed6e1

            • memory/60-18-0x0000000005390000-0x0000000005422000-memory.dmp
              Filesize

              584KB

            • memory/60-61-0x0000000005CA0000-0x0000000005CE2000-memory.dmp
              Filesize

              264KB

            • memory/60-177-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
              Filesize

              64KB

            • memory/60-176-0x0000000073E50000-0x000000007453E000-memory.dmp
              Filesize

              6.9MB

            • memory/60-16-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
              Filesize

              64KB

            • memory/60-174-0x0000000007450000-0x000000000745A000-memory.dmp
              Filesize

              40KB

            • memory/60-12-0x0000000073E50000-0x000000007453E000-memory.dmp
              Filesize

              6.9MB

            • memory/60-13-0x0000000004AF0000-0x0000000004B56000-memory.dmp
              Filesize

              408KB

            • memory/60-149-0x0000000006710000-0x0000000006722000-memory.dmp
              Filesize

              72KB

            • memory/60-143-0x0000000005E50000-0x0000000005E5A000-memory.dmp
              Filesize

              40KB

            • memory/60-11-0x00000000002A0000-0x00000000002D2000-memory.dmp
              Filesize

              200KB

            • memory/4148-10-0x00000000002D0000-0x00000000003A4000-memory.dmp
              Filesize

              848KB

            • memory/4148-17-0x00000000058D0000-0x00000000059D2000-memory.dmp
              Filesize

              1.0MB

            • memory/4148-175-0x0000000073E50000-0x000000007453E000-memory.dmp
              Filesize

              6.9MB

            • memory/4148-15-0x0000000073E50000-0x000000007453E000-memory.dmp
              Filesize

              6.9MB

            • memory/4148-14-0x00000000051C0000-0x00000000056BE000-memory.dmp
              Filesize

              5.0MB