asyncrat | cd2a3b6dac6e3a9483df3ca219df51ca77ccfaa14213ca6ff25d072b4fee24eb

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-fr
resource tags

arch:x64arch:x86image:win11-20241007-frlocale:fr-fros:windows11-21h2-x64systemwindows
submitted
08-12-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.zip
Size

1.1MB
MD5

f1a1e48a1b717914efa37c23c9e26f33
SHA1

821c4a93335359c3e54d84df8935b6e4aca65078
SHA256

cd2a3b6dac6e3a9483df3ca219df51ca77ccfaa14213ca6ff25d072b4fee24eb
SHA512

bd1c0f3a95d4a465404f863b88236866250c64689162db205b9e22f0ebb7f3352e770a32961f77a62691c0dabd030fce5614cf735c342b01db60540cc99f707e
SSDEEP

12288:irJoIkjGs4Z3BvuHzuHfijjHIisCJ3HL4AV77Z2OIwfBPXquh7nwXzQzDYcKSlN1:kn3QT8qvoi53UAn0OIMxl7+uFZFQjnQ

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002ac0a-3.dat	family_stormkitty
behavioral1/memory/1920-5-0x0000000000BA0000-0x0000000000EA4000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001b00000002ac0a-3.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1920	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1920	setup.exe
1920	setup.exe
1920	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4804	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4804	7zFM.exe
Token: 35	4804	7zFM.exe
Token: SeSecurityPrivilege	4804	7zFM.exe
Token: SeDebugPrivilege	1920	setup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4804	7zFM.exe
4804	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1920	setup.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\setup.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4804

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\setup.exe

Filesize
3.0MB

MD5
0fec7c25ae41bd0cdb48e500024a70f8

SHA1
edb70811ea4e77db3cf1be4e8292b1aec4868a79

SHA256
a072692240a98e08b304e863f5f6550a3730da6cb0df8fca4fbacf92f43d4bd2

SHA512
3a21b97c257ae5ae7d804f593ac98cc479621c21ecabb54b3af7d9605fd3a60f6cad78d0a78369708e3fd55965a0d833210ce6eb7163f14776ae2c96e8f5d9e6

Download Submit
memory/1920-4-0x00007FFB8D803000-0x00007FFB8D805000-memory.dmp

Filesize
8KB

Download
memory/1920-5-0x0000000000BA0000-0x0000000000EA4000-memory.dmp

Filesize
3.0MB

Download
memory/1920-6-0x00007FFB8D800000-0x00007FFB8E2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1920-7-0x000000001C680000-0x000000001C782000-memory.dmp

Filesize
1.0MB

Download
memory/1920-8-0x00007FFB8D800000-0x00007FFB8E2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1920-11-0x0000000003130000-0x0000000003152000-memory.dmp

Filesize
136KB

Download
memory/1920-12-0x00007FFB8D800000-0x00007FFB8E2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1920-13-0x00007FFB8D800000-0x00007FFB8E2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1920-14-0x00007FFB8D803000-0x00007FFB8D805000-memory.dmp

Filesize
8KB

Download
memory/1920-15-0x00007FFB8D800000-0x00007FFB8E2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1920-16-0x00007FFB8D800000-0x00007FFB8E2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1920-17-0x00007FFB8D800000-0x00007FFB8E2C2000-memory.dmp

Filesize
10.8MB

Download