Overview

overview

10

Static

static

3

cheat-Clie...er.exe

windows7-x64

1

cheat-Clie...er.exe

windows10-2004-x64

1

cheat-Clie...L2.dll

windows7-x64

1

cheat-Clie...L2.dll

windows10-2004-x64

1

cheat-Clie...61.dll

windows7-x64

1

cheat-Clie...61.dll

windows10-2004-x64

1

cheat-Clie...61.dll

windows7-x64

1

cheat-Clie...61.dll

windows10-2004-x64

1

cheat-Clie...59.dll

windows7-x64

1

cheat-Clie...59.dll

windows10-2004-x64

1

cheat-Clie...et.exe

windows7-x64

10

cheat-Clie...et.exe

windows10-2004-x64

10

cheat-Clie...ry.bat

windows7-x64

1

cheat-Clie...ry.bat

windows10-2004-x64

1

cheat-Clie...ve.exe

windows7-x64

1

cheat-Clie...ve.exe

windows10-2004-x64

1

cheat-Clie...re.exe

windows7-x64

1

cheat-Clie...re.exe

windows10-2004-x64

1

cheat-Clie...al.exe

windows7-x64

1

cheat-Clie...al.exe

windows10-2004-x64

1

cheat-Clie...re.dll

windows10-2004-x64

1

cheat-Clie...lp.dll

windows10-2004-x64

1

cheat-Clie...at.exe

windows7-x64

1

cheat-Clie...at.exe

windows10-2004-x64

1

cheat-Clie...te.exe

windows7-x64

1

cheat-Clie...te.exe

windows10-2004-x64

1

cheat-Clie...dk.dll

windows7-x64

1

cheat-Clie...dk.dll

windows10-2004-x64

1

cheat-Clie...dl.dll

windows7-x64

1

cheat-Clie...dl.dll

windows10-2004-x64

1

cheat-Clie...64.dll

windows7-x64

1

cheat-Clie...64.dll

windows10-2004-x64

1

Resubmissions

01-10-2024 19:40

241001-ydxrra1bke 10

Analysis

  • max time kernel
    146s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cheat-Client-18.4/cheat ddnet.exe

  • Size

    13.8MB

  • MD5

    c243a4b95f7bd67a1787ca5637506d28

  • SHA1

    c9d77c9c982d3b74057ddf39bc394c1089ebe762

  • SHA256

    10e075782de89b66ee1780aa15ee50b3f1aa7caaeffa86d3855a27c19f1fed5f

  • SHA512

    400b1906a3a1b5bb00109d2e067c7e0a86589275f0c1106942e4a056019a5f0b00dbeec233a3eb92d33cbd9783cd030453bd0623e6b3dc3863de6e31e6dfd9a7

  • SSDEEP

    393216:UZogBso8b4gFr5jSpEVCZPQmlgoWNuQ4Le:UZoK8b/im0ZYmlgAQ4Le

Score
10/10
asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7559842378:AAEO5G-UvKkJGXAkNr6mdPi4Yrgvo7GFhDE/sendMessage?chat_id=1426495159
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 9 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cheat-Client-18.4\cheat ddnet.exe
    "C:\Users\Admin\AppData\Local\Temp\cheat-Client-18.4\cheat ddnet.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4164
    • C:\Users\Admin\AppData\Local\Temp\KRX Clients.exe
      "C:\Users\Admin\AppData\Local\Temp\KRX Clients.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4640
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:1092
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4556
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:224
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1804
    • C:\Users\Admin\AppData\Local\Temp\KRX Client.exe
      "C:\Users\Admin\AppData\Local\Temp\KRX Client.exe"
      2⤵
      • Executes dropped EXE
      PID:2148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\23684b8162b569f9c1bb36f1794167ce\Admin@SYMRKCCU_en-US\System\Process.txt
    Filesize

    4KB

    MD5

    16fd008618105c0d34a4af0559f52898

    SHA1

    ca336dd4180814406bcc67307a02fd6f2625b3d5

    SHA256

    27aa21dc4601ea95ccc0184b7835a1fcebf7c474b873d2709664003933320b6f

    SHA512

    29093eb4d1c9b7403f6ac9679c26c24c3b6e27ae638717ac3e3a2b2c92a2d5c98706a6e3b11d7d788fb42619cd84e27377c08e5adf4dcfaa266aa9880c406df1

    Download Submit

  • C:\Users\Admin\AppData\Local\23684b8162b569f9c1bb36f1794167ce\msgid.dat
    Filesize

    3B

    MD5

    69adc1e107f7f7d035d7baf04342e1ca

    SHA1

    3be76cc016a8c850661956c5f71d14c621cf6a69

    SHA256

    968076be2e38cf897d4d6cea3faca9c037e1a4e3b4b7744fb2533e07751bd30a

    SHA512

    99ca407af8c883034a447f1e670330e32d2189357619ac4c10a0745ab37fb204979c42cd3c216b30a688be808aa588d1ea35d3d3780675a55175305b6618e07a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KRX Client.exe
    Filesize

    13.1MB

    MD5

    4576b168071792af058f9247646c0211

    SHA1

    3a65b8aaa74fe1f0c519de3a3fb1ebb7c11d636e

    SHA256

    4361a46dc16dd11d11d9d83e06ebb8332049be65c4589b3e331e51e97502bb18

    SHA512

    f397fc6227e1f8b9b7a3cbe1aafdbb2f161bc4d116b83e6dd70da38c0de68098ea8d00defcbe1051291e3982b42dbc2956384403d892745952059b1b768dcdcf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KRX Clients.exe
    Filesize

    648KB

    MD5

    9ce354a36d22e83dfffbd0153d199a7b

    SHA1

    0dc32906c6c0549bc321968fd690c57597e4b25d

    SHA256

    39e63e086fe73f3accc83c134107419cb346887f1574399cf4d73bac28c9c3e5

    SHA512

    ab934189c487e1496ba5e82010aa85a71b860d78170fb88773494be800a9ff92c8366d41f70997291f7adf4db159fc7d36856a07a101b9bfa77089bab70566f1

    Download Submit

  • memory/2148-22-0x0000000140000000-0x0000000141FED000-memory.dmp

    Filesize

    31.9MB

    Download

  • memory/2856-21-0x0000000000810000-0x00000000008B8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2856-23-0x00000000053F0000-0x0000000005456000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2856-170-0x0000000005CE0000-0x0000000005D72000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2856-171-0x0000000006490000-0x0000000006A34000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2856-175-0x0000000005DC0000-0x0000000005DCA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2856-181-0x0000000005FA0000-0x0000000005FB2000-memory.dmp

    Filesize

    72KB

    Download