asyncrat

Resubmissions

01/10/2024, 19:40

241001-ydxrra1bke 10

Sharing

Copy URL

Twitter E-mail

General

Target

cheat-Client-18.4.rar
Size

66.7MB
Sample

241001-ydxrra1bke
MD5

40d4e528eccf83ef8eb697727ac432cd
SHA1

d570c974866deeb04dd1d2bf5019a3e8af22db0a
SHA256

068e727f7a752a65815025756376baa1ae5622a6518cf8056764cfffa7d0b815
SHA512

97151ce34130c18f7b5c913ffd78c673e5fdba95f290fcee53d332ab2d3525acc5e66c6dc540806bff14af59039782c35d4a5276ae4991e5a7216609a27da7cc
SSDEEP

1572864:zbNK/t3LWPR9o1PmlKKeL7jp3k7cOObE4G4vpP3mHDYsm:tK/ZL2fHKKoTG4v13Mjm

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7559842378:AAEO5G-UvKkJGXAkNr6mdPi4Yrgvo7GFhDE/sendMessage?chat_id=1426495159

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  cheat-Client-18.4/DDNet-Server.exe
- Size
  
  3.1MB
- MD5
  
  04fd40dd04829b5916568e42431e05eb
- SHA1
  
  e323ac74341b73dfca141b7aaa1364c3f6831f7e
- SHA256
  
  ae7fdb63bf91a66912dbfb7b1cf292858c111a02d578c4ba89c10943eea42481
- SHA512
  
  3b89b301ae3a5d0aaffc3b8c0a1c3487e09de664ab31d4f20e7df92241ab2ce4be96d60ab10edaff2162ee3c42bbccbbe28867bdfe925b93a210a4b57f8c5ed0
- SSDEEP
  
  49152:VkYz/vWf6cka4NPYwQ21mQJs8kXYjlY7Js8Qh6YtBegTcCspeEY8NQD0dhk6eoMN:Vkg1zVdjlVTECspeEY8QoMuAr
Score

1^/10
behavioral1 behavioral2
- Target
  
  cheat-Client-18.4/SDL2.dll
- Size
  
  2.2MB
- MD5
  
  9f2509c44faa79c87382855d4a94966b
- SHA1
  
  4474c7d2923dd0a535c01612c6bd2c0e1f1faef3
- SHA256
  
  d0ac4e209a78ad56d53af2df40a51ae9e4043704efbed5b46bf75a57ec92ab1b
- SHA512
  
  fb5f407af1020109acdf693f5391cdf7905a99d0d09628bf066f459caa36cd2e296adb623a60950191e4e3395501c332b672ecc219bdc02415013dba42d6ccb3
- SSDEEP
  
  49152:5L6mcGjDqleTVMEGol1sEQf21L1gz6vr//uw0508uLMDpYwvuIBxV:F6QHpQO1L1jvrXuw0S8DpD2IBxV
Score

1^/10
behavioral3 behavioral4
- Target
  
  cheat-Client-18.4/avcodec-61.dll
- Size
  
  2.7MB
- MD5
  
  ae6632db7de61ef9a0e1045b829502dc
- SHA1
  
  e4c9eae709c3b3f415f9183e2e45292c14b9d5e2
- SHA256
  
  58c71baa592da746c9c5e30fdd41814a2736454b2b7168da4ab88585758d4786
- SHA512
  
  37d112a490105d11283fab5a2febb618305919932bc18b55b79bc0d3ef862791d3f6f8cc6dfc57b00ce1fb7dc576c724dafbff84144212b247e51e265904c28f
- SSDEEP
  
  49152:sG89fcQ/HjCDvYceJirwiucX2bpbsyt7U9gkUObKPHv5bW:he0Q/jYv8/NR1TdW
Score

1^/10
behavioral5 behavioral6
- Target
  
  cheat-Client-18.4/avformat-61.dll
- Size
  
  502KB
- MD5
  
  179f9ae9eb9e05411966a0d943e75360
- SHA1
  
  a543163fbea7ba8061da700133cc97e9ebcda589
- SHA256
  
  b72292ed8140957752e45880b597b6e1a673fb66e740379d29614dee1454d3a2
- SHA512
  
  ca77ce3fb5e345ea6304c9d405de577b164224df01ca25ce1ae560ab82463dfa6b0dacd6880d8d8821b15d3892f8d12bbee76832dee1cfef083b74f127949fc0
- SSDEEP
  
  12288:vHoTMfa6+pLH1SicSrISTE6bj3tZEdEyd:vHp0HnHASfyd
Score

1^/10
behavioral7 behavioral8
- Target
  
  cheat-Client-18.4/avutil-59.dll
- Size
  
  1000KB
- MD5
  
  9f4e1d61cf779052fed243c2142495b2
- SHA1
  
  246b28f23c542ba6f38767ad420fc4b6f716c8af
- SHA256
  
  cd256113d455d362d769a859d2214b9f672be8d2692eebd7539675d31620ca6b
- SHA512
  
  f3059d52d93731fee5fc03af389ea08f85f449caadc79a0021fe3da2234648ad3bbf012d96eddd2de161bab062bb8be3a9bc98114cb941bb46c1e0117c241593
- SSDEEP
  
  12288:4wCIUQiy/TXud3kOo09O11s5mbxZnBR2XoR6nP3J:4uioXud3kOn9x8fqYRoJ
Score

1^/10
behavioral10 behavioral9
- Target
  
  cheat-Client-18.4/cheat ddnet.exe
- Size
  
  13.8MB
- MD5
  
  c243a4b95f7bd67a1787ca5637506d28
- SHA1
  
  c9d77c9c982d3b74057ddf39bc394c1089ebe762
- SHA256
  
  10e075782de89b66ee1780aa15ee50b3f1aa7caaeffa86d3855a27c19f1fed5f
- SHA512
  
  400b1906a3a1b5bb00109d2e067c7e0a86589275f0c1106942e4a056019a5f0b00dbeec233a3eb92d33cbd9783cd030453bd0623e6b3dc3863de6e31e6dfd9a7
- SSDEEP
  
  393216:UZogBso8b4gFr5jSpEVCZPQmlgoWNuQ4Le:UZoK8b/im0ZYmlgAQ4Le
Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral11 behavioral12
- Target
  
  cheat-Client-18.4/config_directory.bat
- Size
  
  222B
- MD5
  
  6191ec1743f8b924e43ebc2ab61ed4fc
- SHA1
  
  ae0e5de76c78618c4b8b1e22976bf50d366f3504
- SHA256
  
  1fbad52532e2685345cc3e5366e88d965f107e6c6013002e0bd6ad5da0377ad7
- SHA512
  
  4ff02eb42dddbb1d3845762a42c58abaa26344d64a308dea9210a180a50d1ea36df5d2852db0d1af06d8b35f2d84910281ba1ec712905acc9ef8b359900b8327
Score

1^/10
behavioral13 behavioral14
- Target
  
  cheat-Client-18.4/config_retrieve.exe
- Size
  
  1.6MB
- MD5
  
  f7555d80ff6e60a59365f01414501479
- SHA1
  
  1d6178f5c1b2896bc4edfae4c047bf861ca6f948
- SHA256
  
  278aa12afd5178f7fe61b41c0f639bb38449d7d76e20e87948a56c8bfb16273b
- SHA512
  
  c8b1a1ca3198e2be632dfbec70408d8c4c2d6a49f33f6d84dae0da599a058a95d881fefec8f0e23d5b1b56c5e4ce5f9fcf7fb387d2fd38e0f746190ed22f9aff
- SSDEEP
  
  24576:9ZD+Rvm86X41C7YrxtyeLLb5TfHdyjMChDl8XMa436oMdZ:7+R+8i41CWxtyeXb5TfHdyjMCxSEqoMD
Score

1^/10
behavioral15 behavioral16
- Target
  
  cheat-Client-18.4/config_store.exe
- Size
  
  1.6MB
- MD5
  
  44b8f89981fe8cee058b46e645bb07f9
- SHA1
  
  b22520a2bca53316d854a57aa3c43bb1199c6f60
- SHA256
  
  3e3e64438ccc8f4dbd185ae727946f8aafeef7261414c8f529599cd17e83f4e1
- SHA512
  
  ac4b7820966cdd004febdb5683ab4768e9ed4d1d9dfb33297b868a62da3e93061821817d600f45b7c74c3c81a083f08c9995372580e75e9f364e85c7f6e216a0
- SSDEEP
  
  49152:kTgQmuyH46XJ0IR4qbVutKSEFbwWczBvdgoMk:kKXPR4qbVutKkyoMk
Score

1^/10
behavioral17 behavioral18
- Target
  
  cheat-Client-18.4/data/krx/DDNet_original.exe
- Size
  
  5.5MB
- MD5
  
  8971b1b6a9fe0e84e92bfdef6449440c
- SHA1
  
  776d704db780a7068a7b61ecd8bab2383333d578
- SHA256
  
  a361cdfe7cbada056bdedc8a0fee0af68fb8d750845e5ecb1d7f3a5d8a01d0ee
- SHA512
  
  0566cea454d64cad8d1ec2b21b9aa8ce9e665753d1ed2ef81f97d03542b4616a8ab20deca8637198461ad651d057a4fa1360a6e25d6681bdb84639014fc8c23f
- SSDEEP
  
  98304:cXeJaLeXptHMELDQdQeEhN9PqasEVD0nK5pdxwwAJDFxZC9oM+5m:cO8LeIffC9X+I
Score

1^/10
behavioral19 behavioral20
- Target
  
  cheat-Client-18.4/dbgcore.dll
- Size
  
  162KB
- MD5
  
  8bb7fa4422c9ddc162051d8b7e5522d7
- SHA1
  
  07a01c2ccffd3d27f2a0d0ddf38dde1dd10455ec
- SHA256
  
  db947c07167069d3de9e8a637baf01298984355d775ec49801115d7e5f2e47a3
- SHA512
  
  7bfbbae884fe9f2235dd24ab9b0f5d35bc6af28bb6e562c000e36962be47de53bf9adc44e8b2d75b1c911a51d1e354ff94e216e66089269e6c7dee8085b98a60
- SSDEEP
  
  3072:XBvYv24Qwk0uHtYN2ZrO3p5oKKASB0ddOQYgOxTsvmbtIahY2rAW:XBg2VWuo3554ASB0ddOgahMW
Score

1^/10
behavioral21
- Target
  
  cheat-Client-18.4/dbghelp.dll
- Size
  
  1.8MB
- MD5
  
  3fbb5bbc320109a3adf8866289a81211
- SHA1
  
  543b936a89fbdb0220381eeff0824b3968390e82
- SHA256
  
  3d92df0984662298a09d988aff0bb7c3081a46bf48177b7af02d3552641f77e9
- SHA512
  
  e4fe89ffa2b723a8162a7eae05f42639a6cf86bca77495d2834fa0f58131ab8fac8336901f8bdce19c5b5b49aa6c5c4b0056febccf42b8fe395401696d0694cc
- SSDEEP
  
  24576:VOTeT88eTQhAWiJhXsg/537W7rDLIVn0a1pCVBz2P583pdj8DqF2gIMYT5q4NZrn:gCTwOkh37W7zI1JDUA583pEqF2gIr5vb
Score

1^/10
behavioral22
- Target
  
  cheat-Client-18.4/demo_extract_chat.exe
- Size
  
  1.6MB
- MD5
  
  6372280ed72fc59a101ae8d16c1a010c
- SHA1
  
  52355b8ea5c80ff745845b5100f79bb62c79bb6f
- SHA256
  
  f950a26258ac4c5dd1f4de4a638e14bb93a257bc0fca03acab7a660b18d2b1b2
- SHA512
  
  5a98eec76592f920e279a6759d6ddf717f56f12a5b2fd59c0cc534bba80bf8ad1899a858d9c569f47041f29a31cb0a1d79a3a1c1b5ace5e30eccb647f91c6d6d
- SSDEEP
  
  49152:DmDcar3HdzKK02jTR05/ZStLq7wiIR19EoMA:DOL0OR05/ZStLBcoMA
Score

1^/10
behavioral23 behavioral24
- Target
  
  cheat-Client-18.4/dilate.exe
- Size
  
  1.6MB
- MD5
  
  ac47fe30562e84f7d72246aef592ade9
- SHA1
  
  d4405f9c1a51f4897b0fbe184de3973286379f58
- SHA256
  
  100475e5df17f36e30562dcc990122d4304dc8c0929c7ce50078ab6742c701b3
- SHA512
  
  35f63ebb082a8d5d5b7876a7b23fd152e180184895b0ae8c47b1b39e59f6566cb2be4a1dff9f5722947686ba57df369a2c28be3c1ce63135e89c52fe4def32a6
- SSDEEP
  
  49152:HTyAWMYA+QbuIM6t0oc/Mbda0Gq6DGwToMWCd1Y:HW38u2t0oc/MbM7oMWJ
Score

1^/10
behavioral25 behavioral26
- Target
  
  cheat-Client-18.4/discord_game_sdk.dll
- Size
  
  3.3MB
- MD5
  
  4402cd4891c256ee40046c6092afdcbf
- SHA1
  
  914e01743c7591beb79a61417b262caeb23e2c20
- SHA256
  
  a6b6d7df00a58dc50248d91048578d0fe52182286b487ef89a961fd10467dbd1
- SHA512
  
  78da4181132a02d7d17ba4b2839018dc43d7d691c8bb01d34e5f7439df9c92951ce687e9487df158c44e764275b45d6800f6629ec2a175cc4ecdf868292291e5
- SSDEEP
  
  24576:Q/NGmO/w02OFM7zWIyjQYS2tBMPfL+8T14rbXojA4F8eEcu2sqhA+cGRlZVIH06R:3oOiaQAtBMPfCn/WDcGRxIU6iIdAk
Score

1^/10
behavioral27 behavioral28
- Target
  
  cheat-Client-18.4/exchndl.dll
- Size
  
  210KB
- MD5
  
  c17169edfc9209a550dda748669b2be6
- SHA1
  
  f806393f496b7d972a2bbcf8146bc8a06b9fd54b
- SHA256
  
  d9b528694462899a8a799babd8095e93982f471169217553a4d41c61028283b6
- SHA512
  
  b43c79e69a53dc34138ade6ec43943f579d3a664370dea834c6d4abc310c9b5d4162ee377234ea04a4b6276cf4fe7a1aa5e4f96c0210418ed14ef5425b4c3733
- SSDEEP
  
  6144:iu5QdsSJMfefeHlnW8nv4hkU03z22De7JPK5l:iuUKefeHlvl
Score

1^/10
behavioral29 behavioral30
- Target
  
  cheat-Client-18.4/libcrypto-3-x64.dll
- Size
  
  4.4MB
- MD5
  
  a15b6cad89e6490154d7f036be729318
- SHA1
  
  137538525ef14c136b088395a75d75af6e072b82
- SHA256
  
  872d68f01c79c3da3d795c18c353ef182bfc7f26acc43e6fbd7752e4e05bd87d
- SHA512
  
  8b8239f32553f38ec22f4d8327e98ad03cbb7be12ec90a1772df3683674f4452411c8e483d09a00b0eceaf9737b58a2e2822f9ea0b3ced2a523fac974edfb86e
- SSDEEP
  
  98304:CY+5Wk9nTWDHa6PgZmQdJNPw1CPwDvt3uFFZC:f+Wk9Tn6PgZmQdJNo1CPwDvt3uFFZC
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

StormKitty

StormKitty payload

Async RAT payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32