asyncrat | 52d77f0c17e871983e761c9fef3b93b1b3263878fd91caa330bd1a1bc8c75355

Analysis

max time kernel
429s
max time network
599s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
09/07/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCXProcess.exe
Size

127KB
MD5

8fc1ba33db2aeb28138bbafe4708c834
SHA1

7f645dccb5c0641079ab42a44d48903400bfd0cf
SHA256

52d77f0c17e871983e761c9fef3b93b1b3263878fd91caa330bd1a1bc8c75355
SHA512

ac24efdc015deb986a6963b1b92276b54715266d3c15edfb0325f63aa7462434b8539220cc1c3aafacb3f6eb1e3d097bf4f58bc9bfecf00d839ad6ea11784ee2
SSDEEP

3072:rUFcxoyXkiPMVDqgiH1brxVyqQCguKMkDEi4Y:rVkiPMV+VbT5rgNEv

Score

10^/10

asyncrat stormkitty c2 collection discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

181.47.208.50:4449

Mutex

egycitgaxejyhidp

Attributes

delay
5
install
true
install_file
CCXProcess.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral4/memory/4828-16-0x000000001CDA0000-0x000000001CEC2000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CCXProcess.exe
Key opened	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CCXProcess.exe
Key opened	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CCXProcess.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	discord.com
12	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
2	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCXProcess.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	CCXProcess.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe
4828	CCXProcess.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	CCXProcess.exe
Token: SeDebugPrivilege	4828	CCXProcess.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4828	CCXProcess.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 1232	4828	CCXProcess.exe	82
PID 4828 wrote to memory of 1232	4828	CCXProcess.exe	82
PID 1232 wrote to memory of 2084	1232	cmd.exe	84
PID 1232 wrote to memory of 2084	1232	cmd.exe	84
PID 1232 wrote to memory of 3612	1232	cmd.exe	85
PID 1232 wrote to memory of 3612	1232	cmd.exe	85
PID 1232 wrote to memory of 1956	1232	cmd.exe	86
PID 1232 wrote to memory of 1956	1232	cmd.exe	86
PID 4828 wrote to memory of 4712	4828	CCXProcess.exe	87
PID 4828 wrote to memory of 4712	4828	CCXProcess.exe	87
PID 4712 wrote to memory of 3552	4712	cmd.exe	89
PID 4712 wrote to memory of 3552	4712	cmd.exe	89
PID 4712 wrote to memory of 8	4712	cmd.exe	90
PID 4712 wrote to memory of 8	4712	cmd.exe	90

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CCXProcess.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CCXProcess.exe

C:\Users\Admin\AppData\Local\Temp\CCXProcess.exe
"C:\Users\Admin\AppData\Local\Temp\CCXProcess.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4828
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2084
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3612
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:1956
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3552
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\31feab0bef027d5291c3ab014828756d\Admin@ELEOLWUJ_en-US\System\Process.txt

Filesize
2KB

MD5
9a8faa7761dacf023fc67ae74eb25c87

SHA1
69942cbe7d826da039931b7cea975ffc54fa2954

SHA256
f7de75164037a525d1fa84a568fd6b265d264477367e4b2029b743ff0d184b86

SHA512
f31862771d540a7a84d0bec614bead33093a7597bcf9293571fff5830c4ba2780990ce5036216a5d33d579aee1ef1edd4cad6abd99aace7c30381bc3021fd451

Download Submit
C:\Users\Admin\AppData\Local\31feab0bef027d5291c3ab014828756d\Admin@ELEOLWUJ_en-US\System\Process.txt

Filesize
3KB

MD5
04d55908eac79ddda05bfb3a92e2f2ea

SHA1
fbcf0bcc9ba8d0896b2c2425bc3bb0ccc4e8dd44

SHA256
16a0d567947d475529eb259e1783d7ea4f6b29e90e03831373ccd4a3d732d769

SHA512
b88b21f653bb0b582b1b69c9e85d8d38f90b21bc560af9893c42858662a6e6c2cc6ae09d432d5787ba96a314d4dd8aeebd5d7d18122183515973df1acadfb74b

Download Submit
C:\Users\Admin\AppData\Local\31feab0bef027d5291c3ab014828756d\Admin@ELEOLWUJ_en-US\System\Process.txt

Filesize
4KB

MD5
eb29245d4296f559a628e24999a73165

SHA1
f9d3fb1e17ac74a892970c495a50110822f91361

SHA256
194da30b7b70c65d43ba807629cae3f9cf553e354bf2ca17c2ad116612ec12e8

SHA512
3fb951ad39acb52c16539b127bd75d8b8d5a3edd570ff7af18aac86238f7a545ab1b7015917b61c8354f64996e34d130d1cfd924db85624e5dfb896bc43c1b48

Download Submit
C:\Users\Admin\AppData\Local\31feab0bef027d5291c3ab014828756d\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
15c652e6e9bb3baf39e74d1ae168af64

SHA1
0510438958a96aea1dd3b758bec1b5154e0ec2b8

SHA256
b485cce001f09618c2922963df6f7e15fea0a4f4335270e1faa9b05edd1af753

SHA512
fa060ec18a60b5f46de8edf60a46dee181f1146bada929736d537d707f8f6829da265e8d6c6d32244ea94d88f698743a7b580f3bc469a2a9b97d6d6aaaabac2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EC5.tmp.dat

Filesize
114KB

MD5
f58c7184af18ea41ed8faa6ac4fe5b19

SHA1
5ab330803374ac6e89227b80ea48a9c7e30a8f89

SHA256
10922dee8fdb085d37aa6bc88fc3f4588c6b0c989b1bc4a3a6a8ed40aa145ae4

SHA512
934c44d31e7e2d814d405b11c38f1f60305e08e6615670423c1317d92f35e9302fe314fdc125a449c0fc8ace30d598f012aa89dc24575367a652d5a06680f4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EEC.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp276D.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp276E.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E95.tmp.dat

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EB8.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EBC.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EBD.tmp.dat

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EBE.tmp.dat

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
memory/4828-11-0x00007FFC78A30000-0x00007FFC794F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-9-0x00007FFC78A30000-0x00007FFC794F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-56-0x000000001D450000-0x000000001D584000-memory.dmp

Filesize
1.2MB

Download
memory/4828-57-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/4828-16-0x000000001CDA0000-0x000000001CEC2000-memory.dmp

Filesize
1.1MB

Download
memory/4828-15-0x000000001B9B0000-0x000000001B9CE000-memory.dmp

Filesize
120KB

Download
memory/4828-14-0x000000001C540000-0x000000001C5A6000-memory.dmp

Filesize
408KB

Download
memory/4828-13-0x000000001C5C0000-0x000000001C636000-memory.dmp

Filesize
472KB

Download
memory/4828-12-0x00007FFC78A30000-0x00007FFC794F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-1-0x00007FFC78A33000-0x00007FFC78A35000-memory.dmp

Filesize
8KB

Download
memory/4828-10-0x00007FFC78A30000-0x00007FFC794F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-55-0x0000000000E30000-0x0000000000E52000-memory.dmp

Filesize
136KB

Download
memory/4828-199-0x00007FFC78A30000-0x00007FFC794F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-202-0x000000001C240000-0x000000001C2BA000-memory.dmp

Filesize
488KB

Download
memory/4828-242-0x000000001C2C0000-0x000000001C344000-memory.dmp

Filesize
528KB

Download
memory/4828-8-0x00007FFC78A33000-0x00007FFC78A35000-memory.dmp

Filesize
8KB

Download
memory/4828-7-0x00007FFC78A30000-0x00007FFC794F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-6-0x00007FFC78A30000-0x00007FFC794F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-4-0x00007FFC78A30000-0x00007FFC794F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-3-0x00007FFC78A30000-0x00007FFC794F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-0-0x0000000000750000-0x0000000000776000-memory.dmp

Filesize
152KB

Download
memory/4828-367-0x00007FFC78A30000-0x00007FFC794F2000-memory.dmp

Filesize
10.8MB

Download