Overview

overview

10

Static

static

10

40e64ea2d9...ff.exe

windows11-21h2-x64

10

Resubmissions

20-12-2024 17:30

241220-v3ka6szqez 10

20-12-2024 14:21

241220-rpab9sxles 10

11-12-2024 16:57

241211-vgr4wswlfm 10

01-08-2024 19:42

240801-yexhdazcna 10

01-08-2024 19:39

240801-ydeaeazclc 10

01-08-2024 01:19

240801-bpyrvsycrd 10

Analysis

  • max time kernel
    79s
  • max time network
    82s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240730-en
  • resource tags

    arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-08-2024 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe

  • Size

    175KB

  • MD5

    19f436930646f3e8f283fa71f2a4cbcb

  • SHA1

    99397666d23ddde6078496ee73bde00ae9403393

  • SHA256

    40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff

  • SHA512

    addba9ff5bd334ddfec06f87d2c69c06028b82d0aab732f73ef35e84f46d889f48ab6823371a9b9f415e2758e62270866682b833bca7406354802e0157314e0d

  • SSDEEP

    3072:+e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTDwARE+WpCc:W6ewwIwQJ6vKX0c5MlYZ0b2E

Score
10/10
asyncratstormkittydefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 16 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
    "C:\Users\Admin\AppData\Local\Temp\40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2928
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show profile
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        PID:4884
      • C:\Windows\SysWOW64\findstr.exe
        findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2060
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4500
      • C:\Windows\SysWOW64\netsh.exe
        netsh wlan show networks mode=bssid
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4336
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4388
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2696
    • C:\Users\Admin\AppData\Local\Temp\40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe
      "C:\Users\Admin\AppData\Local\Temp\40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff.exe"
      1⤵
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        2⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1476
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:1880
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2212
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3692
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2332
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\5b214429d8387dd7e28e90606dec8c55\Admin@XEGYFDPH_en-US\System\Process.txt
      Filesize

      4KB

      MD5

      d4a9c57de29b8e6e417253622dff695c

      SHA1

      3fe548893948c0fed95ee9228f884f3c745c4d70

      SHA256

      523b1b20a8d9328111e70fdd1acc16230985c64d5769ddcfc966af51714f65d5

      SHA512

      98eeb168454b4a6b59fe8bf76a41a57f9f7bce6ff8a49740344a274f7916ef8383fe39225f944e8fcc698735b3c0c7bb404118cc8b50020a30ca199e429b774f

      Download Submit

    • C:\Users\Admin\AppData\Local\627f15b3bc02260be74d8e66f14a9852\msgid.dat
      Filesize

      1B

      MD5

      cfcd208495d565ef66e7dff9f98764da

      SHA1

      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

      SHA256

      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

      SHA512

      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\places.raw
      Filesize

      5.0MB

      MD5

      1bb74fc582d99a05f5e4a57e0c30a384

      SHA1

      d0cef50f1b6696918562f28057ddc108d50cdb82

      SHA256

      51edf88baf821ddd3e0243690686cf1165bb0236c342db288a3522aacbd68673

      SHA512

      38cf2fa187ac4ca53f64226ce7c8b925c32bcd9ab846a7d98677c7f78c62a2e978fb663b107819cfe75adc220e9121191c36c362988e8f804e1aad033a8f26eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1940.tmp.dat
      Filesize

      114KB

      MD5

      14f9823c7f73af418659d716fc91c0d1

      SHA1

      56eca072fcba259cf0813ef67bdd8d663825a865

      SHA256

      8d95ff19d697afe7bfd166c4ffc38921fae8434043c09c900c303841acb36ce1

      SHA512

      a9c0547671cfa4558a2b9a1e1501e50004d7d4d1cc1014dffe8bb8e91ccbee9c611f210f93bdc5e397161d15a4181b99c98c4e380626aa1488b48a0c855a3f18

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1951.tmp.dat
      Filesize

      160KB

      MD5

      f310cf1ff562ae14449e0167a3e1fe46

      SHA1

      85c58afa9049467031c6c2b17f5c12ca73bb2788

      SHA256

      e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

      SHA512

      1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1964.tmp.dat
      Filesize

      112KB

      MD5

      87210e9e528a4ddb09c6b671937c79c6

      SHA1

      3c75314714619f5b55e25769e0985d497f0062f2

      SHA256

      eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

      SHA512

      f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

      Download Submit

    • C:\Users\Admin\AppData\Local\e86cffeccd745510e987c16d14c4f30b\Admin@XEGYFDPH_en-US\Browsers\Firefox\Bookmarks.txt
      Filesize

      105B

      MD5

      2e9d094dda5cdc3ce6519f75943a4ff4

      SHA1

      5d989b4ac8b699781681fe75ed9ef98191a5096c

      SHA256

      c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

      SHA512

      d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

      Download Submit

    • C:\Users\Admin\AppData\Local\e86cffeccd745510e987c16d14c4f30b\Admin@XEGYFDPH_en-US\System\Process.txt
      Filesize

      4KB

      MD5

      1c0d9d8ba089e26f65f1308b2fcb0f13

      SHA1

      4f9719ba93f60e1c85db5e6675328db9d0e96e9d

      SHA256

      4775e33c7545d6221955aa456d6d509c36f8ede28095c117eec4a0fd4ebaa567

      SHA512

      d62d104408f931fae1a2b0f91119f905453314d5286b42190f2160e7c9412621fc0d76721147f13cc6453803b21f6ff516ebcbe8cb80428c724e1f9aeba48581

      Download Submit

    • memory/3256-151-0x000000007490E000-0x000000007490F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-140-0x0000000005C70000-0x0000000005D02000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3256-152-0x0000000074900000-0x00000000750B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3256-145-0x0000000005D60000-0x0000000005D6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3256-2-0x0000000074900000-0x00000000750B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3256-141-0x00000000062C0000-0x0000000006866000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3256-0-0x000000007490E000-0x000000007490F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-1-0x0000000000620000-0x0000000000652000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3256-3-0x00000000050C0000-0x0000000005126000-memory.dmp

      Filesize

      408KB

      Download