asyncrat | ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70b

General

Target

ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe
Size

601KB
MD5

bc46bbd5fe4f4757b7ad1a5d21c206e0
SHA1

a27abe34871d10067cf7584abe42a8f39a5f7f5c
SHA256

ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70b
SHA512

a839e50825b0098736baba544ee345764160ebc3d35d5f966dcfe621217edf0753bba96677e3d1f2f1782cb78c3b7d2a0107b9d5ac1a0e1eb34d6a08848aa162
SSDEEP

6144:EYM2tZrIHSGn6MCInzvZEgpEIQIl4yLA8bBHP4+m46RtHK:EIrIHFnfCyhEqll4wAJ+mXRtH

Score

10^/10

asyncrat stormkitty default discovery execution persistence phishing privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5048659266:AAFJQRcRFhUzXFoT4Bj40d1LFuM0IyNZ7y4/sendMessage?chat_id=5038570348

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2440-42-0x0000000001760000-0x0000000001792000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2440-42-0x0000000001760000-0x0000000001792000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
752	powershell.exe
2128	powershell.exe

A potential corporate email address has been identified in the URL: WorldWindProResultsDate20241210122034PMSystemWindows10Pro64BitUsernameAdminCompNameOFGADUSELanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.0.235ExternalIP181.215.176.83BSSID8275fb64dadfDomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	SearchApp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\fd9baa011740292f8dbb56ac9dd59708\Admin@OFGADUSE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\fd9baa011740292f8dbb56ac9dd59708\Admin@OFGADUSE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\fd9baa011740292f8dbb56ac9dd59708\Admin@OFGADUSE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\fd9baa011740292f8dbb56ac9dd59708\Admin@OFGADUSE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\fd9baa011740292f8dbb56ac9dd59708\Admin@OFGADUSE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\fd9baa011740292f8dbb56ac9dd59708\Admin@OFGADUSE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SearchApp.exe
File opened for modification	C:\Users\Admin\AppData\Local\fd9baa011740292f8dbb56ac9dd59708\Admin@OFGADUSE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\fd9baa011740292f8dbb56ac9dd59708\Admin@OFGADUSE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SearchApp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
28	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2208	cmd.exe
3060	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SearchApp.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4916	timeout.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
752	powershell.exe
752	powershell.exe
2128	powershell.exe
2128	powershell.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe
2440	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe
Token: SeBackupPrivilege	2720	vssvc.exe
Token: SeRestorePrivilege	2720	vssvc.exe
Token: SeAuditPrivilege	2720	vssvc.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2440	SearchApp.exe
Token: SeDebugPrivilege	2440	SearchApp.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 752	4724	ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe	87
PID 4724 wrote to memory of 752	4724	ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe	87
PID 4724 wrote to memory of 2128	4724	ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe	89
PID 4724 wrote to memory of 2128	4724	ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe	89
PID 4724 wrote to memory of 4988	4724	ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe	98
PID 4724 wrote to memory of 4988	4724	ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe	98
PID 4988 wrote to memory of 4916	4988	cmd.exe	100
PID 4988 wrote to memory of 4916	4988	cmd.exe	100
PID 2440 wrote to memory of 2208	2440	SearchApp.exe	106
PID 2440 wrote to memory of 2208	2440	SearchApp.exe	106
PID 2208 wrote to memory of 208	2208	cmd.exe	108
PID 2208 wrote to memory of 208	2208	cmd.exe	108
PID 2208 wrote to memory of 3060	2208	cmd.exe	109
PID 2208 wrote to memory of 3060	2208	cmd.exe	109
PID 2208 wrote to memory of 540	2208	cmd.exe	110
PID 2208 wrote to memory of 540	2208	cmd.exe	110
PID 2440 wrote to memory of 3700	2440	SearchApp.exe	111
PID 2440 wrote to memory of 3700	2440	SearchApp.exe	111
PID 3700 wrote to memory of 1404	3700	cmd.exe	113
PID 3700 wrote to memory of 1404	3700	cmd.exe	113
PID 3700 wrote to memory of 3884	3700	cmd.exe	114
PID 3700 wrote to memory of 3884	3700	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe
"C:\Users\Admin\AppData\Local\Temp\ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9A3C.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Users\Admin\AppData\Roaming\SearchApp.exe
C:\Users\Admin\AppData\Roaming\SearchApp.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:208
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3060
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:540
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1404
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

3

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\24bf8ab15151c9fdc8468bb22a7bd276\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlgnar35.kwp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A3C.tmp.bat

Filesize
217B

MD5
2cf8a2c916dabb4c02b47e45dd17d844

SHA1
9f01d38a5f0c2f3adbb119b4f82260514f2a0338

SHA256
0051ea48f492146ec595abf38852b1a15541af7b174f26d0b14dc8741fda3f3f

SHA512
e86644962de5d6db3f31abf5671bfa73a5ceeb1bf400758d91c347b92dfea907b8907519a1ca2aa9f2d5318423f739f9334629f88caac86d162d4493e0dd2f1e

Download Submit
C:\Users\Admin\AppData\Local\fd9baa011740292f8dbb56ac9dd59708\Admin@OFGADUSE_en-US\System\Process.txt

Filesize
4KB

MD5
48b58d0f31cf505589267862992eb11e

SHA1
06676edc8c50b75db20778aed7a274500ba16a04

SHA256
794ddb48507b6e25298c0e3d928f5ac0b4828983c50cc375e6a90e95391eba62

SHA512
1f9cb49407ca76cec09498c635f7fd3e51b9251a3d02ed6c640dbf548342a165955214e23448fc38530810a9c3d13fcb3cc95a74d9b66d3292cbb1b962121ca0

Download Submit
C:\Users\Admin\AppData\Roaming\SearchApp.exe

Filesize
601KB

MD5
bc46bbd5fe4f4757b7ad1a5d21c206e0

SHA1
a27abe34871d10067cf7584abe42a8f39a5f7f5c

SHA256
ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70b

SHA512
a839e50825b0098736baba544ee345764160ebc3d35d5f966dcfe621217edf0753bba96677e3d1f2f1782cb78c3b7d2a0107b9d5ac1a0e1eb34d6a08848aa162

Download Submit
memory/752-14-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

Filesize
10.8MB

Download
memory/752-15-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

Filesize
10.8MB

Download
memory/752-18-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

Filesize
10.8MB

Download
memory/752-3-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

Filesize
10.8MB

Download
memory/752-13-0x000001E1F6520000-0x000001E1F6542000-memory.dmp

Filesize
136KB

Download
memory/2440-42-0x0000000001760000-0x0000000001792000-memory.dmp

Filesize
200KB

Download
memory/2440-194-0x000000001BD40000-0x000000001BD70000-memory.dmp

Filesize
192KB

Download
memory/2440-195-0x000000001C740000-0x000000001C74A000-memory.dmp

Filesize
40KB

Download
memory/4724-34-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

Filesize
10.8MB

Download
memory/4724-33-0x00007FFEC95C3000-0x00007FFEC95C5000-memory.dmp

Filesize
8KB

Download
memory/4724-41-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

Filesize
10.8MB

Download
memory/4724-2-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

Filesize
10.8MB

Download
memory/4724-0-0x00007FFEC95C3000-0x00007FFEC95C5000-memory.dmp

Filesize
8KB

Download
memory/4724-1-0x0000000000320000-0x00000000003BC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads