Malware Analysis Report

2024-09-22 23:44

Sample ID 240521-3pgbcsdh7z
Target win1.exe
SHA256 94fada921a79c422e6dbf75eeca7429690d75901b5ef982a44874971b38708a0
Tags
asyncrat stormkitty default collection discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94fada921a79c422e6dbf75eeca7429690d75901b5ef982a44874971b38708a0

Threat Level: Known bad

The file win1.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default collection discovery rat spyware stealer

Async RAT payload

Asyncrat family

StormKitty payload

AsyncRat

StormKitty

Reads user/profile data of web browsers

Looks up geolocation information via web service

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Checks processor information in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-21 23:41

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 23:41

Reported

2024-05-21 23:43

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win1.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\win1.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\win1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\win1.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\win1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\win1.exe

"C:\Users\Admin\AppData\Local\Temp\win1.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
AM 85.209.133.18:4545 tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.133.209.85.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
AM 85.209.133.18:4545 tcp
US 52.111.227.11:443 tcp
AM 85.209.133.18:4545 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
AM 85.209.133.18:4545 tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1952-0-0x00007FFB352F3000-0x00007FFB352F5000-memory.dmp

memory/1952-1-0x0000000000560000-0x0000000000578000-memory.dmp

memory/1952-3-0x00007FFB352F0000-0x00007FFB35DB1000-memory.dmp

memory/1952-4-0x00007FFB352F0000-0x00007FFB35DB1000-memory.dmp

memory/1952-8-0x00007FFB352F0000-0x00007FFB35DB1000-memory.dmp

memory/1952-9-0x00007FFB352F0000-0x00007FFB35DB1000-memory.dmp

memory/1952-10-0x00007FFB352F3000-0x00007FFB352F5000-memory.dmp

memory/1952-11-0x00007FFB352F0000-0x00007FFB35DB1000-memory.dmp

memory/1952-12-0x00007FFB352F0000-0x00007FFB35DB1000-memory.dmp

memory/1952-13-0x00007FFB352F0000-0x00007FFB35DB1000-memory.dmp

memory/1952-14-0x00007FFB352F0000-0x00007FFB35DB1000-memory.dmp

memory/1952-15-0x0000000000D90000-0x0000000000E06000-memory.dmp

memory/1952-16-0x000000001C4F0000-0x000000001C612000-memory.dmp

memory/1952-17-0x0000000000D30000-0x0000000000D4E000-memory.dmp

memory/1952-56-0x0000000000C60000-0x0000000000C82000-memory.dmp

memory/1952-57-0x000000001CD10000-0x000000001CE44000-memory.dmp

memory/1952-58-0x0000000000C10000-0x0000000000C1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9FB2.tmp.dat

MD5 d4993802b9cf3203200f899233c3e2fc
SHA1 a632e8d796c8a0d1cf8cda55aa882b1a82b7318f
SHA256 cff606c51ac13f4352de08f7838939c1e261bdc232a10bb94f6924d00cbd0dd6
SHA512 1910cf846fe61ef744dc6bcf9062caaf6ab1856a64bd8aa6849cbddcdc8fa921f0cef16d0d9cc38842345f5873724b27764307076bd50bd46bb74f643cde03bd

C:\Users\Admin\AppData\Local\Temp\tmp9FB5.tmp.dat

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Local\284dceac4e7b1e3304b665e6e23799cc\Admin@SPDOHFMA_en-US\System\Process.txt

MD5 8b89747086ab9d327106a9d6f0f0cf26
SHA1 84577c92eb8f3389020d133f90782b93667fb9c3
SHA256 868dae8a5f4c0a90197b0ee96b6465c6df570b08a4dfbbdb61493377a51f5d3f
SHA512 fc52e8a47f2a709a920bf3bfeb775894806c80d623b9878c7194c8e3169ac71971acb072c0ec661418fd382e464068bd55cf9a4106bfd9726b227575bae2398d

memory/1952-168-0x0000000000C40000-0x0000000000C4C000-memory.dmp

memory/1952-170-0x000000001B5B0000-0x000000001B62A000-memory.dmp

memory/1952-213-0x000000001C710000-0x000000001C794000-memory.dmp

C:\Users\Admin\AppData\Local\284dceac4e7b1e3304b665e6e23799cc\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 23:41

Reported

2024-05-21 23:43

Platform

win7-20240221-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\win1.exe"

Signatures

AsyncRat

rat asyncrat

Checks installed software on the system

discovery

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\win1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\win1.exe

"C:\Users\Admin\AppData\Local\Temp\win1.exe"

Network

Country Destination Domain Proto
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp
AM 85.209.133.18:4545 tcp

Files

memory/1848-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

memory/1848-1-0x00000000009B0000-0x00000000009C8000-memory.dmp

memory/1848-3-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

memory/1848-4-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3D84.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/1848-92-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

memory/1848-103-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

memory/1848-124-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp