asyncrat | 0293f18506d1ee560edb08d31df755429c20f1401eb0adf57a364f310dbb25fb | Triage

Sharing

General

Target

6876f647ee7ddd41a32c6801a991f20623c7bf3ddff34ae3876005b78fe9c78f.bin.sample.gz
Size

10KB
Sample

241014-sk5haavfll
MD5

78c6b9bd4f9575aba7e460f4acf2a98d
SHA1

527cd2fe53db9bc11d1022102b238ce0c891303e
SHA256

0293f18506d1ee560edb08d31df755429c20f1401eb0adf57a364f310dbb25fb
SHA512

c6939af47a5d8e1eb46aea4759d77d96529991f32fc44fb6d658fd45b9f9fb8875bf31bdb46ce6f1ba2833cb3e403112951c4578293008ea4885af97bb1d46a2
SSDEEP

192:/pQmZrzhyFmnBcjJwpwUEkIfJYBX59kPQPzxYRTbIXf5tNS0TpkFdgZKh/O2FHc:/p78FmnBcjK9jaJYuYcY7c0NQCK7F8

Score

10^/10

asyncrat stormkitty geeko discovery execution rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.16.38.38:555/ver/d.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nodejs.org/download/release/latest-v19.x/win-x64/node.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Geeko

C2

geekcoobarz.com:6606

geekcoobarz.com:7707

geekcoobarz.com:8808

Mutex

AsyncMutex_Geeko

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  eBill_278146878CV.wsf
- Size
  
  31KB
- MD5
  
  0a7c5d3d48afcfd0665cde72c0f34056
- SHA1
  
  0a54cc9c809d7e4652124594cf4c9aa5d0e69fb0
- SHA256
  
  abe9c101a2935a04086558477a69ad3c2ec2a41a60ca50519c39a7db0e07d41d
- SHA512
  
  c0f00e95aa2e9079ff80d80c839388ea6c7f055a764249d76f4f8933c5dcbc006892a9c46faf28ea1203541c34fb82e6557940e93b98b0b4cb371cdf0c489381
- SSDEEP
  
  768:GneTE/AK58r/7LtJKyvuh9gneTE/AK58r/7LtJKyvuh9w:GGQG/dlGQG/dH
Score

10^/10

asyncrat stormkitty geeko discovery execution rat stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

asyncratstormkittygeekodiscoveryexecutionratstealer