Malware Analysis Report

2024-09-22 23:57

Sample ID 240429-ntmxdahf44
Target ser.exe
SHA256 fb5035e26f908cf1de308fdac8db6fb751ac69357b9ab2445fdaf1765c86b366
Tags
asyncrat stormkitty default rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb5035e26f908cf1de308fdac8db6fb751ac69357b9ab2445fdaf1765c86b366

Threat Level: Known bad

The file ser.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default rat spyware stealer

StormKitty

StormKitty payload

AsyncRat

Async RAT payload

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Looks up external IP address via web service

Drops desktop.ini file(s)

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-29 11:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 11:41

Reported

2024-04-29 11:44

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\system32\notepad.exe
PID 1460 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\system32\notepad.exe
PID 1460 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\system32\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ser.exe

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

C:\Windows\system32\notepad.exe

notepad.exe

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 11:41

Reported

2024-04-29 11:44

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\ser.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ser.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\notepad.exe
PID 4344 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\notepad.exe
PID 4344 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 4344 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 1620 wrote to memory of 3540 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1620 wrote to memory of 3540 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1620 wrote to memory of 1668 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1620 wrote to memory of 1668 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1620 wrote to memory of 2220 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1620 wrote to memory of 2220 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4344 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 4344 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 1780 wrote to memory of 2364 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1780 wrote to memory of 2364 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1780 wrote to memory of 2152 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1780 wrote to memory of 2152 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ser.exe

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

C:\Windows\SYSTEM32\notepad.exe

notepad.exe

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.192:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 192.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/4344-0-0x00007FFD4E8D0000-0x00007FFD4EAC5000-memory.dmp

memory/4344-2-0x0000029130330000-0x0000029130366000-memory.dmp

memory/4344-3-0x0000029130640000-0x0000029130672000-memory.dmp

memory/4344-4-0x00007FFD30850000-0x00007FFD31311000-memory.dmp

memory/4344-5-0x0000029130700000-0x0000029130710000-memory.dmp

memory/4344-6-0x0000029130700000-0x0000029130710000-memory.dmp

C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\System\Process.txt

MD5 a4854d3b3c736fcdddadb463ac8df5c9
SHA1 7893544a1b4c1e2457fbaae7d45b9cb5ff216fe8
SHA256 290baf6636ea41fc49829cbc481e0390af6c4f6d4e3a3e3617911aedf86bf4f3
SHA512 41fd88c3f02056c418c23be273529fcc33eb3bb110a990c302d749cd86b5addf78e24cd588e9cc8ebd895214968e6131348acc470c05a417b92c56827af7402e

C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\System\Process.txt

MD5 741a60cd5e1f3816dfeaa8edca61df6a
SHA1 084f05b3c8cdf316ecc8498cb85aa17abf1497ab
SHA256 2847026181bed6041937cd172583b6e602faa1c43dcc8c068b652976dd2614c6
SHA512 57e963dac48c65e68f4979048668015ae8dc7a9cff7d8cc667515afc304b5a9ba0743a563de72a11e02e4ef53634540433e29cd6db19ea0795b882449bf7a595

C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\System\Process.txt

MD5 1929c52790f7df99fafcbbdc9969ade1
SHA1 069e6ed73a450f784c5e27744da17ab04c59442f
SHA256 dfbddc5dc819569ced0881af26fa52ee6507b5def6dbfc66ade7f67bc1bac2f4
SHA512 b31b83510d6dc229e9c8c172cb6a6508a2d660b4d97b3566cab2fd31313d024ac0cbef1aca9c1b424953d6ef562b512746c59d453a643f62a5deec212f7e5d75

C:\Users\Admin\AppData\Local\c0af4052649db16718fa9a022fee5e86\Admin@RHATQEDQ_en-US\System\Process.txt

MD5 7955b6f490fcb9def01bf1c08634e0da
SHA1 3e51eb8dfda557ff11f3fed9bb998c5b6e983de1
SHA256 9b0a517c953735b3ba735971ee2eb83fa3caefa8dce3ac1b8980b688add90c77
SHA512 74a03b055b979624b9ce6c4edf8379a4e8555a1e4b1a26db9f56766273058df54cee914eacc916b32f6fc2b511efab6ebac89b62f2b52de2b67a590a8c9af44f

memory/4344-148-0x0000029130700000-0x0000029130710000-memory.dmp

memory/4344-150-0x0000029130700000-0x0000029130710000-memory.dmp

memory/4344-154-0x0000029130750000-0x000002913075A000-memory.dmp

C:\Users\Admin\AppData\Local\3748126a29ea084777d6eafa9295d890\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4344-160-0x0000029149390000-0x00000291493A2000-memory.dmp

memory/4344-183-0x00007FFD30850000-0x00007FFD31311000-memory.dmp

memory/4344-186-0x0000029130700000-0x0000029130710000-memory.dmp

memory/4344-187-0x0000029130700000-0x0000029130710000-memory.dmp

memory/4344-188-0x0000029130700000-0x0000029130710000-memory.dmp

memory/4344-189-0x0000029130700000-0x0000029130710000-memory.dmp

memory/4344-190-0x0000029130700000-0x0000029130710000-memory.dmp