Malware Analysis Report

2024-09-22 23:58

Sample ID 240430-pfybmabh8t
Target ser.exe
SHA256 fb5035e26f908cf1de308fdac8db6fb751ac69357b9ab2445fdaf1765c86b366
Tags
asyncrat stormkitty default rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb5035e26f908cf1de308fdac8db6fb751ac69357b9ab2445fdaf1765c86b366

Threat Level: Known bad

The file ser.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default rat spyware stealer

StormKitty payload

AsyncRat

StormKitty

Async RAT payload

Reads user/profile data of web browsers

Looks up external IP address via web service

Drops desktop.ini file(s)

Looks up geolocation information via web service

Unsigned PE

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-30 12:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 12:16

Reported

2024-04-30 12:19

Platform

win10v2004-20240419-en

Max time kernel

145s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
File created C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ser.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ser.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\ser.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ser.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\notepad.exe
PID 208 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\notepad.exe
PID 208 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 208 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 716 wrote to memory of 4920 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 716 wrote to memory of 4920 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 716 wrote to memory of 1724 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 716 wrote to memory of 1724 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 716 wrote to memory of 1552 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 716 wrote to memory of 1552 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 208 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 208 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\SYSTEM32\cmd.exe
PID 4260 wrote to memory of 1976 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4260 wrote to memory of 1976 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4260 wrote to memory of 4692 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4260 wrote to memory of 4692 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ser.exe

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

C:\Windows\SYSTEM32\notepad.exe

notepad.exe

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 8.8.8.8:53 api.mylnikov.org udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/208-2-0x0000021623860000-0x0000021623896000-memory.dmp

memory/208-0-0x00007FFF9BE90000-0x00007FFF9C085000-memory.dmp

memory/208-3-0x00000216239D0000-0x0000021623A02000-memory.dmp

memory/208-4-0x00007FFF7DB90000-0x00007FFF7E651000-memory.dmp

memory/208-7-0x0000021623DB0000-0x0000021623DC0000-memory.dmp

memory/208-6-0x0000021623DB0000-0x0000021623DC0000-memory.dmp

memory/208-5-0x0000021623DB0000-0x0000021623DC0000-memory.dmp

C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\System\Process.txt

MD5 9e9f1194c20ca288fffee5e28d48902b
SHA1 3d53528b3dc023d63820797dc803ba3b9914e6ac
SHA256 c89f050b5bb27e5f15874659ad7b2705bd15eab1c4d316adfae3a22ece2b8610
SHA512 5bd43a0fd9ab855baf3de5433ce6b2eae83516f463bae31d6b28129147839bc930fb35891dd78d5bd2d3a4e6501faf3d4385102d494246378724571d93448a59

C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\System\Process.txt

MD5 edac7bea578b356f092268bd03b90224
SHA1 dee052f636b40bbb18079b98726d703a1dc977d7
SHA256 d939c604f6a140aa84d69bf36749d5cc80abc99d03b5e8b716204b808d53e9b0
SHA512 e93a2c465458c6fbde834894c67f3a20fcd9625b97dc9f48c326025b3fe81cb14cbe6fbf4d27584c29f709eaf8453f9fa37adf263c2d6ef7c9e35584e397518d

C:\Users\Admin\AppData\Local\3e9692157c7cce905c4243269c8b7ddd\Admin@EXNCLZLI_en-US\System\Process.txt

MD5 267d7ad72bdc3ee36c7276182a3b6d5f
SHA1 96d4e46b7a82d5a0623e306cf3eb90b6f23c2831
SHA256 834fb324fd139bf70a6c50351830f62378ffd0dfa735f29fd191885a1c669b92
SHA512 995e022114f3472e5d07d635065c04ee3f174cc93aacbecb962f1c3813514cfc927173beb71b446e71500f593f0044675f70f9e8ada89ca29831a2b340e8ea7d

memory/208-153-0x0000021623DB0000-0x0000021623DC0000-memory.dmp

memory/208-154-0x0000021623DB0000-0x0000021623DC0000-memory.dmp

memory/208-158-0x0000021623D60000-0x0000021623D6A000-memory.dmp

memory/208-159-0x00007FFF7DB90000-0x00007FFF7E651000-memory.dmp

memory/208-160-0x0000021623DB0000-0x0000021623DC0000-memory.dmp

memory/208-161-0x0000021623DB0000-0x0000021623DC0000-memory.dmp

C:\Users\Admin\AppData\Local\1bb289bb8707dff085ac42f2958db7c9\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/208-167-0x0000021623DB0000-0x0000021623DC0000-memory.dmp

memory/208-168-0x0000021623DB0000-0x0000021623DC0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 12:16

Reported

2024-04-30 12:19

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\system32\notepad.exe
PID 2904 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\system32\notepad.exe
PID 2904 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\ser.exe C:\Windows\system32\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ser.exe

"C:\Users\Admin\AppData\Local\Temp\ser.exe"

C:\Windows\system32\notepad.exe

notepad.exe

Network

N/A

Files

N/A