asyncrat | 60837ecb4271e7348591ab1d8ee69dabf9071677694fb024493497af43855f25

General

Target

build.exe
Size

6.7MB
MD5

28ef4cb352cfe60d068b08f677f3689f
SHA1

1efb5e55b13e15ed534c711efee79c62e36c8eea
SHA256

60837ecb4271e7348591ab1d8ee69dabf9071677694fb024493497af43855f25
SHA512

ec16acce2053d91f835c31aa453a4415b281fc041e1d4a23fe90631bc2acaf6c9bf6531f0332e2cf954660ac01d0e3f031c64e74988e06bee0d332814acc639c
SSDEEP

98304:XStzEq9xypvogUuuhDYbkqKTU5QgFFgG6INdOzs:WnTY84QuuG6INys

Score

10^/10

asyncrat stormkitty discovery persistence rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/4952-20-0x0000000000EE0000-0x000000000112A000-memory.dmp	family_stormkitty
behavioral1/memory/5256-21-0x0000000000400000-0x0000000000B22000-memory.dmp	family_stormkitty
behavioral1/memory/5256-22-0x0000000000400000-0x0000000000B22000-memory.dmp	family_stormkitty
behavioral1/memory/5256-23-0x0000000000400000-0x0000000000B22000-memory.dmp	family_stormkitty

Executes dropped EXE 1 IoCs

pid	Process
4268	Wihnup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\ResDesignerEditor = "C:\\Users\\Admin\\Music\\ResDesignerUpdater\\ResVideo.exe윀"	build.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5256 set thread context of 4952	5256	build.exe	80

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wihnup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4440	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
4952	csc.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5372	Taskmgr.exe
Token: SeSystemProfilePrivilege	5372	Taskmgr.exe
Token: SeCreateGlobalPrivilege	5372	Taskmgr.exe
Token: SeDebugPrivilege	4952	csc.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe
5372	Taskmgr.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5256 wrote to memory of 4952	5256	build.exe	80
PID 5256 wrote to memory of 4952	5256	build.exe	80
PID 5256 wrote to memory of 4952	5256	build.exe	80
PID 5256 wrote to memory of 4952	5256	build.exe	80
PID 5256 wrote to memory of 4952	5256	build.exe	80
PID 4952 wrote to memory of 3036	4952	csc.exe	81
PID 4952 wrote to memory of 3036	4952	csc.exe	81
PID 4952 wrote to memory of 3036	4952	csc.exe	81
PID 4952 wrote to memory of 2572	4952	csc.exe	83
PID 4952 wrote to memory of 2572	4952	csc.exe	83
PID 4952 wrote to memory of 2572	4952	csc.exe	83
PID 3036 wrote to memory of 2004	3036	cmd.exe	85
PID 3036 wrote to memory of 2004	3036	cmd.exe	85
PID 3036 wrote to memory of 2004	3036	cmd.exe	85
PID 2572 wrote to memory of 4440	2572	cmd.exe	86
PID 2572 wrote to memory of 4440	2572	cmd.exe	86
PID 2572 wrote to memory of 4440	2572	cmd.exe	86
PID 2572 wrote to memory of 4268	2572	cmd.exe	87
PID 2572 wrote to memory of 4268	2572	cmd.exe	87
PID 2572 wrote to memory of 4268	2572	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp54A.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4440
  - - C:\Users\Admin\AppData\Roaming\Wihnup.exe
      "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4268

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp54A.tmp.bat

Filesize
149B

MD5
31bd6755e4c1256344eb3e2906c87b26

SHA1
25f7d1a3c4bbbbce946bc910ecef2e8762794220

SHA256
c18e7f0ee9e701ab2d1cdf67aeee4dadf858b400c56963e492689b987e7877f9

SHA512
bde99ecafc96a63977f239a3ae44995d770699e25cc1852a3b1353d2a556b95b855092b9f8c9aef9e4b0e37471a920d2dba47a56681c60c983413c29f882dcf4

Download Submit
C:\Users\Admin\AppData\Roaming\Wihnup.exe

Filesize
2.0MB

MD5
749b60ea8762b3bc3494906fd7025497

SHA1
1694340ab9fbe2692a95d9b18575c6959b01c7e9

SHA256
4458132afc157ed1943f0fee08fb8dce30b46eca73ac07c45026378b47d8be64

SHA512
f5879f5b113f2c32e97245f28d6a2a7d1bbacdcd367146c1afdee6e8854b766be45ac2da34bad646cc780f957d95e0033f9ec8831d27fdadc7a6fd50c5002021

Download Submit
memory/4952-20-0x0000000000EE0000-0x000000000112A000-memory.dmp

Filesize
2.3MB

Download
memory/4952-24-0x0000000005E10000-0x00000000063B6000-memory.dmp

Filesize
5.6MB

Download
memory/5256-22-0x0000000000400000-0x0000000000B22000-memory.dmp

Filesize
7.1MB

Download
memory/5256-0-0x0000000000400000-0x0000000000B22000-memory.dmp

Filesize
7.1MB

Download
memory/5256-14-0x0000000000400000-0x0000000000B22000-memory.dmp

Filesize
7.1MB

Download
memory/5256-21-0x0000000000400000-0x0000000000B22000-memory.dmp

Filesize
7.1MB

Download
memory/5256-23-0x0000000000400000-0x0000000000B22000-memory.dmp

Filesize
7.1MB

Download
memory/5256-18-0x0000000000400000-0x0000000000B22000-memory.dmp

Filesize
7.1MB

Download
memory/5256-19-0x0000000000400000-0x0000000000B22000-memory.dmp

Filesize
7.1MB

Download
memory/5256-15-0x0000000000514000-0x000000000052D000-memory.dmp

Filesize
100KB

Download
memory/5256-17-0x0000000000400000-0x0000000000B22000-memory.dmp

Filesize
7.1MB

Download
memory/5372-12-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

Filesize
4KB

Download
memory/5372-8-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

Filesize
4KB

Download
memory/5372-7-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

Filesize
4KB

Download
memory/5372-9-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

Filesize
4KB

Download
memory/5372-10-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

Filesize
4KB

Download
memory/5372-11-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

Filesize
4KB

Download
memory/5372-13-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

Filesize
4KB

Download
memory/5372-2-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

Filesize
4KB

Download
memory/5372-1-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

Filesize
4KB

Download
memory/5372-3-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads