asyncrat | 375c43c645f68b4ee517958f959233dd55a108408a961e6e74bc901bf691494d | Triage

Submit
Reports

Overview

overview

Static

static

3caa5f0600...d5.exe

windows10-1703-x64

3caa5f0600...d5.exe

windows7-x64

3caa5f0600...d5.exe

windows10-2004-x64

3caa5f0600...d5.exe

windows11-21h2-x64

Resubmissions

23-05-2024 14:41

240523-r2kc1aef4v 10

Sharing

General

Target

3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5.zip
Size

35KB
Sample

240523-r2kc1aef4v
MD5

9ede2cdd05ef536550ea82faadcb0f64
SHA1

f8a48cc3a2eac967a9965218646bb981cd4cc454
SHA256

375c43c645f68b4ee517958f959233dd55a108408a961e6e74bc901bf691494d
SHA512

ea3bdb6b18548aef954406dab5db8c81e0b848d9596995887dd3d3f54636ecf953ccfb38eefb528dc7dd914a26bddf3eab92f31d75c4f4782556026ef556bd0e
SSDEEP

768:ywO6O3I2HIlotf4RSnTVSfQDRdhRZlroK63agjo++2qCyIFFATmZz2:ywOr3I2JfK0VbjoK63agjheCyIF2TmZC

Score

10^/10

asyncrat stormkitty default collection discovery evasion rat spyware stealer trojan

Static task

static1

rat default asyncrat

3 signatures

Behavioral task

behavioral1

Sample

3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5.exe

Resource

win10-20240404-en

asyncrat stormkitty default collection discovery evasion rat spyware stealer trojan

windows10-1703-x64

32 signatures

300 seconds

Behavioral task

behavioral2

Sample

3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5.exe

Resource

win7-20240508-en

asyncrat default discovery rat

windows7-x64

12 signatures

300 seconds

Behavioral task

behavioral3

Sample

3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5.exe

Resource

win10v2004-20240508-en

asyncrat stormkitty default collection discovery evasion rat spyware stealer trojan

windows10-2004-x64

32 signatures

300 seconds

Behavioral task

behavioral4

Sample

3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5.exe

Resource

win11-20240508-en

asyncrat stormkitty default collection discovery evasion rat spyware stealer trojan

windows11-21h2-x64

31 signatures

300 seconds

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

66.235.168.242:4449

Mutex

scgofjarww

Attributes

delay
1
install
true
install_file
Loader.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5
- Size
  
  74KB
- MD5
  
  7ac0adf482250172280defec7a7054da
- SHA1
  
  20a25f0da68c309d062c4628ead8b6f377ac7969
- SHA256
  
  3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5
- SHA512
  
  d03d033b931f3d39f95a1ec1cdc7d9014783f11b2438c265dd72c0bc34f9d5ced534a38c7c1c88ff930868fd9cf60521dd556b5c486c5cf364f798f39215a1aa
- SSDEEP
  
  1536:WUxQcxHCapCtGPMVCe9VdQuDI6H1bf/yBZUu7QzciLVclN:WUOcxHCoeGPMVCe9VdQsH1bfqvUwQzBY
Score

10^/10

asyncrat stormkitty default collection discovery evasion rat spyware stealer trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

ratdefaultasyncrat

behavioral1

asyncratstormkittydefaultcollectiondiscoveryevasionratspywarestealertrojan

behavioral2

asyncratdefaultdiscoveryrat

behavioral3

asyncratstormkittydefaultcollectiondiscoveryevasionratspywarestealertrojan

behavioral4

asyncratstormkittydefaultcollectiondiscoveryevasionratspywarestealertrojan

© 2018-2024

Terms | Privacy