Overview

overview

10

Static

static

3

cheat-Clie...et.exe

windows10-1703-x64

10

cheat-Clie...et.exe

windows10-2004-x64

10

cheat-Clie...et.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    88s
  • max time network
    81s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-10-2024 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cheat-Client-18.4/cheat ddnet.exe

  • Size

    13.8MB

  • MD5

    c243a4b95f7bd67a1787ca5637506d28

  • SHA1

    c9d77c9c982d3b74057ddf39bc394c1089ebe762

  • SHA256

    10e075782de89b66ee1780aa15ee50b3f1aa7caaeffa86d3855a27c19f1fed5f

  • SHA512

    400b1906a3a1b5bb00109d2e067c7e0a86589275f0c1106942e4a056019a5f0b00dbeec233a3eb92d33cbd9783cd030453bd0623e6b3dc3863de6e31e6dfd9a7

  • SSDEEP

    393216:UZogBso8b4gFr5jSpEVCZPQmlgoWNuQ4Le:UZoK8b/im0ZYmlgAQ4Le

Score
10/10
asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7559842378:AAEO5G-UvKkJGXAkNr6mdPi4Yrgvo7GFhDE/sendMessage?chat_id=1426495159
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cheat-Client-18.4\cheat ddnet.exe
    "C:\Users\Admin\AppData\Local\Temp\cheat-Client-18.4\cheat ddnet.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Users\Admin\AppData\Local\Temp\KRX Clients.exe
      "C:\Users\Admin\AppData\Local\Temp\KRX Clients.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2876
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:5004
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3572
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3172
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1296
    • C:\Users\Admin\AppData\Local\Temp\KRX Client.exe
      "C:\Users\Admin\AppData\Local\Temp\KRX Client.exe"
      2⤵
      • Executes dropped EXE
      PID:360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\96bdf839390546d7d836faf221871141\Admin@NDTNZVHN_en-US\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Local\96bdf839390546d7d836faf221871141\Admin@NDTNZVHN_en-US\System\Process.txt
    Filesize

    4KB

    MD5

    078a20322d976d904c728f9c90ba72bf

    SHA1

    2fda012b23554e16ca099a01c0acd98bfc96d310

    SHA256

    b947807034a2c616afa54777ef5daa01fb2b81f3a50dcc4c14b89664d33566e4

    SHA512

    bdffd8ec835b4a5228b069dc0843940d89bd4f38d9ae11b9ae82c78ff25325b80a928ed8e7de7086c7ec94c060b0f28642958ae695d6943a45a46e31b105f544

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KRX Client.exe
    Filesize

    13.1MB

    MD5

    4576b168071792af058f9247646c0211

    SHA1

    3a65b8aaa74fe1f0c519de3a3fb1ebb7c11d636e

    SHA256

    4361a46dc16dd11d11d9d83e06ebb8332049be65c4589b3e331e51e97502bb18

    SHA512

    f397fc6227e1f8b9b7a3cbe1aafdbb2f161bc4d116b83e6dd70da38c0de68098ea8d00defcbe1051291e3982b42dbc2956384403d892745952059b1b768dcdcf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KRX Clients.exe
    Filesize

    648KB

    MD5

    9ce354a36d22e83dfffbd0153d199a7b

    SHA1

    0dc32906c6c0549bc321968fd690c57597e4b25d

    SHA256

    39e63e086fe73f3accc83c134107419cb346887f1574399cf4d73bac28c9c3e5

    SHA512

    ab934189c487e1496ba5e82010aa85a71b860d78170fb88773494be800a9ff92c8366d41f70997291f7adf4db159fc7d36856a07a101b9bfa77089bab70566f1

    Download Submit

  • C:\Users\Admin\AppData\Local\e95e14612d7af1c79a2f62cacf4f4e81\msgid.dat
    Filesize

    3B

    MD5

    979d472a84804b9f647bc185a877a8b5

    SHA1

    19187dc98dce52fa4c4e8e05b341a9b77a51fd26

    SHA256

    d48ff4b2f68a10fd7c86f185a6ccede0dc0f2c48538d697cb33b6ada3f1e85db

    SHA512

    eb2f6d6c3d0d1c9104d04facb613acd5d8c3eb74884c7f3fc2f3077bcecd8baced50b287a54ba9f823a4b47d3c247ed65a351983db5d48d6714291ebeb5c71ae

    Download Submit

  • memory/360-16-0x0000000140000000-0x0000000141FED000-memory.dmp

    Filesize

    31.9MB

    Download

  • memory/4128-15-0x0000000000A50000-0x0000000000AF8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/4128-17-0x0000000005300000-0x0000000005366000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4128-137-0x0000000005E20000-0x0000000005EB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4128-138-0x00000000063C0000-0x00000000068BE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4128-142-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4128-143-0x0000000005F20000-0x0000000005F2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4128-11-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4128-149-0x0000000005F30000-0x0000000005F42000-memory.dmp

    Filesize

    72KB

    Download