Malware Analysis Report

2024-09-22 23:53

Sample ID 240429-pa7ywaae2z
Target ser.exe
SHA256 fb5035e26f908cf1de308fdac8db6fb751ac69357b9ab2445fdaf1765c86b366
Tags
asyncrat stormkitty default rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb5035e26f908cf1de308fdac8db6fb751ac69357b9ab2445fdaf1765c86b366

Threat Level: Known bad

The file ser.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default rat spyware stealer

StormKitty payload

StormKitty

AsyncRat

Async RAT payload

Reads user/profile data of web browsers

Looks up external IP address via web service

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-29 12:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 12:08

Reported

2024-04-29 12:11

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\system32\notepad.exe
PID 1860 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\system32\notepad.exe
PID 1860 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\system32\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ser.exe

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

C:\Windows\system32\notepad.exe

notepad.exe

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 12:08

Reported

2024-04-29 12:11

Platform

win10v2004-20240419-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\ser.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ser.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\notepad.exe
PID 2864 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\notepad.exe
PID 2864 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 2864 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 2036 wrote to memory of 3496 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2036 wrote to memory of 3496 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2036 wrote to memory of 1864 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2036 wrote to memory of 1864 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2036 wrote to memory of 1816 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2036 wrote to memory of 1816 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2864 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 2864 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 4684 wrote to memory of 8 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4684 wrote to memory of 8 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4684 wrote to memory of 1576 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4684 wrote to memory of 1576 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ser.exe

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

C:\Windows\SYSTEM32\notepad.exe

notepad.exe

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 165.191.110.104.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/2864-2-0x000001EFA8020000-0x000001EFA8056000-memory.dmp

memory/2864-0-0x00007FFE4EC50000-0x00007FFE4EE45000-memory.dmp

memory/2864-3-0x000001EFA81C0000-0x000001EFA81F2000-memory.dmp

memory/2864-4-0x00007FFE308D0000-0x00007FFE31391000-memory.dmp

memory/2864-6-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp

memory/2864-5-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp

C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txt

MD5 bd21a164e49e285d5af348e3ccf1e938
SHA1 1d11a25ed613c74a03c0a0a793d324a0c6e225d4
SHA256 ca43e5d89e4dc66d04682df25fb031f823c8ce070d20151f75e908385ca119d1
SHA512 b7a90dfb806de54110b25c08f0fa76d9de9e937cdbcc95ccb2dcc5e574ec4319b7b2e62bc18eddba089758b4b2e74f228a79d8d509fe5e3fdbdfd7f3025181e0

C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txt

MD5 f928e0e7081b55f0196ae4543ebdca88
SHA1 575462c688a66c890ee0508a36ec433928c6a1ff
SHA256 45630f91493a51e37db10f3a85ba188199bb7fb67298867c34075bcdd60e1e08
SHA512 6ff5801736fc5ac91af0eacc51666b6008b68f3bc2cc437db19ab13bfd65cc5d7b7c1f56553f33178e6b9c74eb24cf325958fdf18520aed5c393867df1cdb3ac

C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txt

MD5 8367a76ebcc00955f36276f0856024a8
SHA1 b06a9b64a6b31ce7aa87e10a7ca438322311e08d
SHA256 6c016cc75bb60da1ec5f81bde5d0560bacf924bad8c26c6ded10bab3cb9dfc7a
SHA512 bfd8b81718354585145983855ca0e4d706f0c3ddf32cb578464cfcb6c8c5c8f111dbe1f2cf302c3a62bce938be127c7680d9496717519a9f645d2abbf6adbc49

C:\Users\Admin\AppData\Local\4bd7d84de8e2478a58846a04673b779c\Admin@LFKTDJGL_en-US\System\Process.txt

MD5 b613b2356a8b1d1c4f1dd8088f40f273
SHA1 cfe35e7d4d09ff154f36999ee0cbeecb54aad928
SHA256 4e24935f9b2ae85c7db2951150c68adfaffbaccee15f5190ebb56fef5e65ffce
SHA512 273ca8fc76ea066f16a0961e6a3b763215ea96c4077bd132e22a96edc40947fcb886ca376f7ed0fe7da567b3425e522593a8c06b08f380d1b897865076a1d701

memory/2864-156-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp

memory/2864-157-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp

memory/2864-161-0x000001EFC1FE0000-0x000001EFC1FEA000-memory.dmp

C:\Users\Admin\AppData\Local\655a0eca073de928e8f00fce0a3f3d95\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2864-167-0x000001EFC2010000-0x000001EFC2022000-memory.dmp

memory/2864-190-0x00007FFE308D0000-0x00007FFE31391000-memory.dmp

memory/2864-193-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp

memory/2864-194-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp

memory/2864-195-0x000001EFC0B70000-0x000001EFC0B80000-memory.dmp