Malware Analysis Report

2024-09-23 02:08

Sample ID 240620-ytldnazbrn
Target NETFLIX CHECKER 2024.rar
SHA256 3d629bec9197f53962123b063c1e77eec7f9a7360bd25aff32e3e36b8a49790d
Tags
asyncrat stormkitty default persistence privilege_escalation rat spyware stealer pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d629bec9197f53962123b063c1e77eec7f9a7360bd25aff32e3e36b8a49790d

Threat Level: Known bad

The file NETFLIX CHECKER 2024.rar was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default persistence privilege_escalation rat spyware stealer pyinstaller

Asyncrat family

StormKitty payload

AsyncRat

StormKitty

Stormkitty family

Async RAT payload

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Looks up geolocation information via web service

Drops desktop.ini file(s)

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Detects Pyinstaller

Enumerates physical storage devices

Runs net.exe

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:04

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:04

Reported

2024-06-20 20:06

Platform

win10-20240404-en

Max time kernel

22s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A
File created C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A
File created C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A
File created C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A
File created C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A
File created C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4228 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1560 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1560 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1560 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1560 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1560 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1560 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1560 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1560 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4228 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 924 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 924 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 924 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 924 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 924 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4228 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe C:\Windows\SysWOW64\schtasks.exe
PID 4228 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe C:\Windows\SysWOW64\schtasks.exe
PID 4228 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe

"C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECK.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 google.com udp

Files

memory/4228-0-0x0000000073E4E000-0x0000000073E4F000-memory.dmp

memory/4228-1-0x0000000000B30000-0x0000000000B70000-memory.dmp

memory/4228-2-0x00000000053B0000-0x0000000005416000-memory.dmp

memory/4228-3-0x0000000073E40000-0x000000007452E000-memory.dmp

memory/4228-4-0x00000000060A0000-0x000000000659E000-memory.dmp

memory/4228-5-0x0000000005C40000-0x0000000005CD2000-memory.dmp

C:\Users\Admin\AppData\Local\6e55a2e1a075edf4f992008365a499a2\Admin@KZOWYSNI_en-US\System\Process.txt

MD5 64704f321f1a411937c7c1c8aa3a9967
SHA1 88b0d52b0978cd9fc05466b315a4fcef550e7766
SHA256 b0438117c19c38988b6ad7f4497c4cf36a016bbc5d02025aaa5e6bbecfe6bc18
SHA512 3f220dec8fc79d7dd963296dbca1260eda842b8dba2a7a24755b17d54d1e60e890f0017bc4173bd822941a2bd636d994e56fe7c054160a13b086ad29c02fc1e8

memory/4228-121-0x0000000073E40000-0x000000007452E000-memory.dmp

memory/4228-125-0x0000000006080000-0x000000000608A000-memory.dmp

C:\Users\Admin\AppData\Local\fc0fc587d9be559b26d1a0354bfed02a\msgid.dat

MD5 d04863f100d59b3eb688a11f95b0ae60
SHA1 161b3433de41cf002e6ec4360a6393793ee80ff1
SHA256 858a794b9a1df6e2fa1e6258cafa1f3df7f31ff877c887107e245163fa52fbdc
SHA512 e698cbd129061b1b01844ce5901069af1eb849450f470a6075ab7406d8ca689a328696ebc6e090f8c7db465f27579030ee280ac518ef344af097a764d83b8813

memory/4228-131-0x0000000007000000-0x0000000007012000-memory.dmp

memory/4228-155-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

memory/4228-156-0x0000000073E4E000-0x0000000073E4F000-memory.dmp

memory/4228-157-0x0000000073E40000-0x000000007452E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 20:04

Reported

2024-06-20 20:06

Platform

win10-20240404-en

Max time kernel

16s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Runs net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe

"C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe"

C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe

"C:\Users\Admin\AppData\Local\Temp\NETFLIX CHECKER .exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net user %username% @virusbug1

C:\Windows\system32\net.exe

net user Admin @virusbug1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user Admin @virusbug1

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI47402\python312.dll

MD5 550288a078dffc3430c08da888e70810
SHA1 01b1d31f37fb3fd81d893cc5e4a258e976f5884f
SHA256 789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d
SHA512 7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723

C:\Users\Admin\AppData\Local\Temp\_MEI47402\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI47402\base_library.zip

MD5 630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1 f901cd701fe081489b45d18157b4a15c83943d9d
SHA256 ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA512 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

C:\Users\Admin\AppData\Local\Temp\_MEI47402\_ctypes.pyd

MD5 2a834c3738742d45c0a06d40221cc588
SHA1 606705a593631d6767467fb38f9300d7cd04ab3e
SHA256 f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089
SHA512 924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117

C:\Users\Admin\AppData\Local\Temp\_MEI47402\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI47402\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI47402\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI47402\pyexpat.pyd

MD5 f179c9bdd86a2a218a5bf9f0f1cf6cd9
SHA1 4544fb23d56cc76338e7f71f12f58c5fe89d0d76
SHA256 c42874e2cf034fb5034f0be35f7592b8a96e8903218da42e6650c504a85b37cc
SHA512 3464ece5c6a0e95ef6136897b70a96c69e552d28bfedd266f13eec840e36ec2286a1fb8973b212317de6fe3e93d7d7cc782eb6fc3d6a2a8f006b34f6443498de

C:\Users\Admin\AppData\Local\Temp\_MEI47402\_wmi.pyd

MD5 c1654ebebfeeda425eade8b77ca96de5
SHA1 a4a150f1c810077b6e762f689c657227cc4fd257
SHA256 aa1443a715fbf84a84f39bd89707271fc11a77b597d7324ce86fc5cfa56a63a9
SHA512 21705b991e75efd5e59b8431a3b19ae5fcc38a3e7f137a9d52acd24e7f67d61758e48abc1c9c0d4314fa02010a1886c15ead5bca8dca1b1d4ccbfc3c589d342e

C:\Users\Admin\AppData\Local\Temp\_MEI47402\_ssl.pyd

MD5 ddb21bd1acde4264754c49842de7ebc9
SHA1 80252d0e35568e68ded68242d76f2a5d7e00001e
SHA256 72bb15cd8c14ba008a52d23cdcfc851a9a4bde13deee302a5667c8ad60f94a57
SHA512 464520ecd1587f5cede6219faac2c903ee41d0e920bf3c9c270a544b040169dcd17a4e27f6826f480d4021077ab39a6cbbd35ebb3d71672ebb412023bc9e182a

C:\Users\Admin\AppData\Local\Temp\_MEI47402\_socket.pyd

MD5 9c6283cc17f9d86106b706ec4ea77356
SHA1 af4f2f52ce6122f340e5ea1f021f98b1ffd6d5b6
SHA256 5cc62aac52edf87916deb4ebbad9abb58a6a3565b32e7544f672aca305c38027
SHA512 11fd6f570dd78f8ff00be645e47472a96daffa3253e8bd29183bccde3f0746f7e436a106e9a68c57cc05b80a112365441d06cc719d51c906703b428a32c93124

C:\Users\Admin\AppData\Local\Temp\_MEI47402\_queue.pyd

MD5 f3eca4f0b2c6c17ace348e06042981a4
SHA1 eb694dda8ff2fe4ccae876dc0515a8efec40e20e
SHA256 fb57ee6adf6e7b11451b6920ddd2fb943dcd9561c9eae64fdda27c7ed0bc1b04
SHA512 604593460666045ca48f63d4b14fa250f9c4b9e5c7e228cc9202e7692c125aacb0018b89faa562a4197692a9bc3d2382f9e085b305272ee0a39264a2a0f53b75

C:\Users\Admin\AppData\Local\Temp\_MEI47402\_lzma.pyd

MD5 b71dbe0f137ffbda6c3a89d5bcbf1017
SHA1 a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f
SHA256 6216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a
SHA512 9a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358

C:\Users\Admin\AppData\Local\Temp\_MEI47402\_hashlib.pyd

MD5 b0262bd89a59a3699bfa75c4dcc3ee06
SHA1 eb658849c646a26572dea7f6bfc042cb62fb49dc
SHA256 4adfbbd6366d9b55d902fc54d2b42e7c8c989a83016ed707bd7a302fc3fc7b67
SHA512 2e4b214de3b306e3a16124af434ff8f5ab832aa3eeb1aa0aa9b49b0ada0928dcbb05c57909292fbe3b01126f4cd3fe0dac9cc15eaea5f3844d6e267865b9f7b1

C:\Users\Admin\AppData\Local\Temp\_MEI47402\_decimal.pyd

MD5 f930b7550574446a015bc602d59b0948
SHA1 4ee6ff8019c6c540525bdd2790fc76385cdd6186
SHA256 3b9ad1d2bc9ec03d37da86135853dac73b3fe851b164fe52265564a81eb8c544
SHA512 10b864975945d6504433554f9ff11b47218caa00f809c6bce00f9e4089b862190a4219f659697a4ba5e5c21edbe1d8d325950921e09371acc4410469bd9189ee

C:\Users\Admin\AppData\Local\Temp\_MEI47402\_bz2.pyd

MD5 59d60a559c23202beb622021af29e8a9
SHA1 a405f23916833f1b882f37bdbba2dd799f93ea32
SHA256 706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e
SHA512 2f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1

C:\Users\Admin\AppData\Local\Temp\_MEI47402\unicodedata.pyd

MD5 04f35d7eec1f6b72bab9daf330fd0d6b
SHA1 ecf0c25ba7adf7624109e2720f2b5930cd2dba65
SHA256 be942308d99cc954931fe6f48ed8cc7a57891ccbe99aae728121bcda1fd929ab
SHA512 3da405e4c1371f4b265e744229dcc149491a112a2b7ea8e518d5945f8c259cad15583f25592b35ec8a344e43007ae00da9673822635ee734d32664f65c9c8d9b

C:\Users\Admin\AppData\Local\Temp\_MEI47402\select.pyd

MD5 8a273f518973801f3c63d92ad726ec03
SHA1 069fc26b9bd0f6ea3f9b3821ad7c812fd94b021f
SHA256 af358285a7450de6e2e5e7ff074f964d6a257fb41d9eb750146e03c7dda503ca
SHA512 7fedae0573ecb3946ede7d0b809a98acad3d4c95d6c531a40e51a31bdb035badc9f416d8aaa26463784ff2c5e7a0cc2c793d62b5fdb2b8e9fad357f93d3a65f8

C:\Users\Admin\AppData\Local\Temp\_MEI47402\charset_normalizer\md.cp312-win_amd64.pyd

MD5 d9e0217a89d9b9d1d778f7e197e0c191
SHA1 ec692661fcc0b89e0c3bde1773a6168d285b4f0d
SHA256 ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0
SHA512 3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

C:\Users\Admin\AppData\Local\Temp\_MEI47402\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

MD5 bf9a9da1cf3c98346002648c3eae6dcf
SHA1 db16c09fdc1722631a7a9c465bfe173d94eb5d8b
SHA256 4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637
SHA512 7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

C:\Users\Admin\AppData\Local\Temp\_MEI47402\PIL\_imaging.cp312-win_amd64.pyd

MD5 0376776f076cd4f4ac15ec4d813c5470
SHA1 381f84735a11ace4673d8be53138e652d4415413
SHA256 a7ddf4d7cab08676bb88a42059353c5374600901b3ab880e17ee1a0d0150c380
SHA512 06d68b9e5daf90d05855bf2c57b6110bfc2f20f4731b023b5aaa39145fd3ab66525d39988b8516731045ad16a89eb0457487dd080aeb347ba24a2e47ece98bbd

C:\Users\Admin\AppData\Local\Temp\_MEI47402\certifi\cacert.pem

MD5 d3e74c9d33719c8ab162baa4ae743b27
SHA1 ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b
SHA256 7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92
SHA512 e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

C:\Users\Admin\AppData\Local\Temp\_MEI47402\PIL\_imagingmath.cp312-win_amd64.pyd

MD5 8f67156ce61c7de23e19f9445c8ba504
SHA1 b9e344fe41b3fc77ce0012930b7ed9af47eb500c
SHA256 8287a2a551bd99b5d55e18e461fedb3704b74b0fb60f1e0881c792f90a18ce46
SHA512 f70f24cef7475547f5b29d1ae6db7bd1de6d1aa906e21705e40ed5c18f4f059ce9bb14dfd353776efc08b985881a102dea1948632edccacf76cc72d126651eb0

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 20:04

Reported

2024-06-20 20:06

Platform

win10-20240404-en

Max time kernel

15s

Max time network

18s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\rdp_via_virusbug1.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\rdp_via_virusbug1.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 20:04

Reported

2024-06-20 20:06

Platform

win10-20240404-en

Max time kernel

30s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
File created C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
File created C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
File created C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
File created C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
File created C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5044 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5044 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5044 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5044 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5044 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5044 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5044 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5044 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1680 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1228 wrote to memory of 700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1228 wrote to memory of 700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1228 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1228 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1228 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1680 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe C:\Windows\SysWOW64\schtasks.exe
PID 1680 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe C:\Windows\SysWOW64\schtasks.exe
PID 1680 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe

"C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\netflx proxy Tools.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 google.com udp

Files

memory/1680-0-0x000000007387E000-0x000000007387F000-memory.dmp

memory/1680-1-0x0000000000040000-0x0000000000080000-memory.dmp

memory/1680-2-0x0000000004920000-0x0000000004986000-memory.dmp

memory/1680-3-0x0000000073870000-0x0000000073F5E000-memory.dmp

memory/1680-4-0x0000000005450000-0x000000000594E000-memory.dmp

memory/1680-5-0x0000000005030000-0x00000000050C2000-memory.dmp

C:\Users\Admin\AppData\Local\ba70cfc6dbad7c3e9bb7f0352bbcd93c\Admin@FCXHTLHL_en-US\System\Process.txt

MD5 545f775d19f32a17bd0b17618b218206
SHA1 7e7b71036d7e308e96aea0c231ef448b77bba719
SHA256 fd148a0b604067c3c1e2ff063a1e8a7f459c48ff6ee6222050c6823c12c28d6c
SHA512 2cd425b35784dacdbe160f97b0c943aeef8b72d557e4181f3583cae6e2b6ebca7611f00ca3b3e557d6c278d428edc4e5e6e1b58cb5a2722d49b415eec74797f9

memory/1680-120-0x0000000073870000-0x0000000073F5E000-memory.dmp

memory/1680-124-0x0000000005E90000-0x0000000005E9A000-memory.dmp

C:\Users\Admin\AppData\Local\e996da5f4a06e2f64c84d2ec4c11e3d6\msgid.dat

MD5 1a68e5f4ade56ed1d4bf273e55510750
SHA1 2290997cf4140b73fb0faa6eee588bd0aa0403cf
SHA256 23cd823b961b630ed4052bcb4fde5247f69eb59433c00b541abe8bde8d0bdbeb
SHA512 1bc04cf1d34fd5e1ebdddd5fa341fd0655331d115dfcc411203125d8a48836f32dc824f7608b00105bb538a4f45b7bd3287a204c0a9f39b10ca423ac436a2680

memory/1680-130-0x0000000006500000-0x0000000006512000-memory.dmp

memory/1680-154-0x0000000007120000-0x000000000712A000-memory.dmp

memory/1680-155-0x000000007387E000-0x000000007387F000-memory.dmp

memory/1680-156-0x0000000073870000-0x0000000073F5E000-memory.dmp

memory/1680-157-0x0000000073870000-0x0000000073F5E000-memory.dmp