asyncrat | 81231fab326d0cd2296cc953551d07c82397af3933b18069b54d4943ac8b71bc

Analysis

max time kernel
108s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
14-07-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

builder/builder.bat
Size

581B
MD5

5bffd9e309e1d362608a5188a0f0cdba
SHA1

d87cca8b89fc5cc4e77453a8aa03a058c8b5e85b
SHA256

6fa6de2709d0e38c8b651747cd37f73262118c005ae89e37b80cce0eaad1ff88
SHA512

8e9b6e0d479b7ea7a1cebd41deb59a13beccf36552388c41ddaf341021a0d62c972846a665cb30948e84981828ec5622570a46bcdb48a8cb6ae0a9991acd5989

Score

10^/10

asyncrat redline stormkitty default infostealer rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7290956576:AAEqdtE6cg2Gkoyn1hXNmqRl7-0FVD2J6bE/sendMessage?chat_id=6569055789

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000500000002aa6c-14.dat	family_redline
behavioral3/memory/892-23-0x0000000000540000-0x0000000000594000-memory.dmp	family_redline

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000400000002aa24-4.dat	family_stormkitty
behavioral3/memory/3448-24-0x0000000000040000-0x0000000000072000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral3/files/0x000400000002aa24-4.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
3448	Server.exe
892	RedlineBuilder.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2220	892	WerFault.exe	86

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	Server.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2868	2904	cmd.exe	84
PID 2904 wrote to memory of 2868	2904	cmd.exe	84
PID 2904 wrote to memory of 2868	2904	cmd.exe	84
PID 2868 wrote to memory of 3448	2868	RedlineBuilder.exe	85
PID 2868 wrote to memory of 3448	2868	RedlineBuilder.exe	85
PID 2868 wrote to memory of 3448	2868	RedlineBuilder.exe	85
PID 2868 wrote to memory of 892	2868	RedlineBuilder.exe	86
PID 2868 wrote to memory of 892	2868	RedlineBuilder.exe	86
PID 2868 wrote to memory of 892	2868	RedlineBuilder.exe	86

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\builder\builder.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\builder\RedlineBuilder.exe
  RedlineBuilder.exe -ip -id
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe
    "C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe"
    3⤵
    - Executes dropped EXE
    PID:892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 892
      4⤵
      Program crash
      PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 892 -ip 892
1⤵
PID:4336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RedlineBuilder.exe

Filesize
308KB

MD5
128cbb0f113189a8af347f14cb223357

SHA1
7472ff8bcf4b6ab90e30ec0352f0ecb44c655cf7

SHA256
a392dc6ad27dbc999aef5db8efaa63a65e570ca3bff7a79c5053ce7b7ba41a0e

SHA512
1bddf607e1e8ef32d39e16fcb9d9d87573f61ceee9a898c287ad236beaea818b223a28196395145a7b3eca5883e5da5b3a3dc0273fd66d64e103c24739868b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
175KB

MD5
a10cc05978289eb72c91f571adbd4351

SHA1
473fdf9c0738acc630903ca60280beef9ac88932

SHA256
a794873c8b6f3951d1b7376732b37e89ab384fd4c9b33ee35fa7579815bd8095

SHA512
9de9da9b7db02a9f3eb40f380063ccef24026a3331218a4a661222500ec6404bbe98ec336af3c06ba571d725ee3f815db115efb7cee8ec395bcfe0b97014c9f3

Download Submit
memory/892-23-0x0000000000540000-0x0000000000594000-memory.dmp

Filesize
336KB

Download
memory/892-25-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/892-27-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/3448-22-0x00000000743EE000-0x00000000743EF000-memory.dmp

Filesize
4KB

Download
memory/3448-24-0x0000000000040000-0x0000000000072000-memory.dmp

Filesize
200KB

Download
memory/3448-26-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/3448-28-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download