asyncrat | 4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9

Analysis

max time kernel
119s
max time network
29s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe
Size

601KB
MD5

1c75af06fed42c673ab69aa48063040a
SHA1

2011344f404ee41a3769d476d5443c05c1a80c87
SHA256

4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9
SHA512

ed8b3898182cb5b008e8d1a4fa7b0f84a15245ab602d2325c19a17a9a6d95009c6ebccdddce98a254b3cb48acd406fd03708159a07eff3b11c75a304307d12d0
SSDEEP

6144:EYM2tZrIHSGn6MCInzvZEgpEIQIl4yLA8bBHP4+m46RtHK0:EIrIHFnfCyhEqll4wAJ+mXRtHp

Score

10^/10

asyncrat stormkitty default discovery execution persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5048659266:AAFJQRcRFhUzXFoT4Bj40d1LFuM0IyNZ7y4/sendMessage?chat_id=5038570348

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2116-33-0x0000000000690000-0x00000000006C2000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2116-33-0x0000000000690000-0x00000000006C2000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1296	powershell.exe
2500	powershell.exe

Deletes itself 1 IoCs

pid	Process
1384	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	SearchApp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\a195106f390c55a74132bb6731000173\Admin@XECUDNCD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\a195106f390c55a74132bb6731000173\Admin@XECUDNCD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\a195106f390c55a74132bb6731000173\Admin@XECUDNCD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\a195106f390c55a74132bb6731000173\Admin@XECUDNCD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SearchApp.exe
File opened for modification	C:\Users\Admin\AppData\Local\a195106f390c55a74132bb6731000173\Admin@XECUDNCD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SearchApp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	discord.com
7	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
9	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1780	cmd.exe
3064	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SearchApp.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
996	timeout.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1296	powershell.exe
2500	powershell.exe
2116	SearchApp.exe
2116	SearchApp.exe
2116	SearchApp.exe
2116	SearchApp.exe
2116	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2116	SearchApp.exe
Token: SeDebugPrivilege	2116	SearchApp.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1296	2172	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	35
PID 2172 wrote to memory of 1296	2172	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	35
PID 2172 wrote to memory of 1296	2172	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	35
PID 2172 wrote to memory of 2500	2172	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	37
PID 2172 wrote to memory of 2500	2172	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	37
PID 2172 wrote to memory of 2500	2172	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	37
PID 2172 wrote to memory of 1384	2172	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	40
PID 2172 wrote to memory of 1384	2172	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	40
PID 2172 wrote to memory of 1384	2172	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	40
PID 1384 wrote to memory of 996	1384	cmd.exe	42
PID 1384 wrote to memory of 996	1384	cmd.exe	42
PID 1384 wrote to memory of 996	1384	cmd.exe	42
PID 1816 wrote to memory of 2116	1816	taskeng.exe	43
PID 1816 wrote to memory of 2116	1816	taskeng.exe	43
PID 1816 wrote to memory of 2116	1816	taskeng.exe	43
PID 2116 wrote to memory of 1780	2116	SearchApp.exe	44
PID 2116 wrote to memory of 1780	2116	SearchApp.exe	44
PID 2116 wrote to memory of 1780	2116	SearchApp.exe	44
PID 1780 wrote to memory of 2000	1780	cmd.exe	46
PID 1780 wrote to memory of 2000	1780	cmd.exe	46
PID 1780 wrote to memory of 2000	1780	cmd.exe	46
PID 1780 wrote to memory of 3064	1780	cmd.exe	47
PID 1780 wrote to memory of 3064	1780	cmd.exe	47
PID 1780 wrote to memory of 3064	1780	cmd.exe	47
PID 1780 wrote to memory of 2452	1780	cmd.exe	48
PID 1780 wrote to memory of 2452	1780	cmd.exe	48
PID 1780 wrote to memory of 2452	1780	cmd.exe	48
PID 2116 wrote to memory of 1408	2116	SearchApp.exe	49
PID 2116 wrote to memory of 1408	2116	SearchApp.exe	49
PID 2116 wrote to memory of 1408	2116	SearchApp.exe	49
PID 1408 wrote to memory of 2576	1408	cmd.exe	51
PID 1408 wrote to memory of 2576	1408	cmd.exe	51
PID 1408 wrote to memory of 2576	1408	cmd.exe	51
PID 1408 wrote to memory of 1992	1408	cmd.exe	52
PID 1408 wrote to memory of 1992	1408	cmd.exe	52
PID 1408 wrote to memory of 1992	1408	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe
"C:\Users\Admin\AppData\Local\Temp\4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF882.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\taskeng.exe
taskeng.exe {690756EB-F866-4316-9D73-21934880CD60} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Roaming\SearchApp.exe
  C:\Users\Admin\AppData\Roaming\SearchApp.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2000
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3064
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:2452
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2576
  - - C:\Windows\system32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF882.tmp.bat

Filesize
216B

MD5
2fb15d3f8ec0bae50ce603c34c938368

SHA1
013fc02a4d9259521884524e015929d60b744866

SHA256
e9279ba5271e8bb7fd97e2a0c01c0183d2df86257e5e571fda69fd90138f4285

SHA512
de399188c4940bb809d313b98657210728285574f0f6a966380a0e7f2024ebaec3f47fbe12533ef2562c06bb377efa4f7790e4a7a0cebb25e173ff4f7a33cb61

Download Submit
C:\Users\Admin\AppData\Local\a195106f390c55a74132bb6731000173\Admin@XECUDNCD_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\a195106f390c55a74132bb6731000173\Admin@XECUDNCD_en-US\System\Process.txt

Filesize
881B

MD5
fa160116b212315d5783b177d1cbefe5

SHA1
e0e09e34f79fd4e24c20b629d4c5c376f5ed2ce3

SHA256
9593e7e203041cdc534db0381fdd2bd436612009f26eee59ba95d7804ac8f1fb

SHA512
8362e7d9cea347dbbe2b4a630535e6516347e2ff74b52ce1434285e454a0947ac764c447000a96cc8a2dbb3a6f876bfc3022affb082ae2bb0926c286b85e2cd4

Download Submit
C:\Users\Admin\AppData\Local\d6365f969220556fd877a51b2d5be5a6\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
98383f8e20aac5673e819899cf49a963

SHA1
5638d840223e6a62de4b1b715a324a46b4787abe

SHA256
9281151fb473fba234aac4fcee6035ba32724209b924df0def409c8413fc1e31

SHA512
26b97b69db20f32cbf9e622491d863f2593238c51bb75a246127e540840b69be4422304302f392d7904a7963453b2f718caa14adb74854cf531d26385ee7c79c

Download Submit
C:\Users\Admin\AppData\Roaming\SearchApp.exe

Filesize
601KB

MD5
1c75af06fed42c673ab69aa48063040a

SHA1
2011344f404ee41a3769d476d5443c05c1a80c87

SHA256
4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9

SHA512
ed8b3898182cb5b008e8d1a4fa7b0f84a15245ab602d2325c19a17a9a6d95009c6ebccdddce98a254b3cb48acd406fd03708159a07eff3b11c75a304307d12d0

Download Submit
memory/1296-8-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1296-7-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2116-32-0x0000000000EB0000-0x0000000000F4C000-memory.dmp

Filesize
624KB

Download
memory/2116-33-0x0000000000690000-0x00000000006C2000-memory.dmp

Filesize
200KB

Download
memory/2172-18-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp

Filesize
4KB

Download
memory/2172-19-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-28-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-0-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp

Filesize
4KB

Download
memory/2172-2-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-1-0x00000000011E0000-0x000000000127C000-memory.dmp

Filesize
624KB

Download
memory/2500-15-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2500-14-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download