asyncrat | f4000e61d9c5929e2eab12382d5624fac3f96d3c27c2e42c5f374cc457ee8b4f | Triage

Sharing

General

Target

Server.exe
Size

175KB
Sample

240925-b9srcaxfrm
MD5

bace9f15b0e425259da0470e7ffe5520
SHA1

15462fe47362ead5c1e1e43665dc439e6c218c7f
SHA256

f4000e61d9c5929e2eab12382d5624fac3f96d3c27c2e42c5f374cc457ee8b4f
SHA512

2e0d2c87de91ecd3b95c7c99b4951cfc4a244de04e0b14f364a447c57c51e4c3e15fa3726a26b96bf408cf4e8bd3ba5980f0f8acb2fa757c93ae73f711d8a832
SSDEEP

3072:6e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTgFwARE+WpCc:K6ewwIwQJ6vKX0c5MlYZ0b27

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7510720859:AAHJ07lkxNWZwwJs6SC36WS0jVG9IR6m3pM/sendMessage?chat_id=6059920057

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  Server.exe
- Size
  
  175KB
- MD5
  
  bace9f15b0e425259da0470e7ffe5520
- SHA1
  
  15462fe47362ead5c1e1e43665dc439e6c218c7f
- SHA256
  
  f4000e61d9c5929e2eab12382d5624fac3f96d3c27c2e42c5f374cc457ee8b4f
- SHA512
  
  2e0d2c87de91ecd3b95c7c99b4951cfc4a244de04e0b14f364a447c57c51e4c3e15fa3726a26b96bf408cf4e8bd3ba5980f0f8acb2fa757c93ae73f711d8a832
- SSDEEP
  
  3072:6e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTgFwARE+WpCc:K6ewwIwQJ6vKX0c5MlYZ0b27
Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

ratdefaultasyncratstormkitty

behavioral1

asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

behavioral2

asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer