asyncrat | 4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9

General

Target

4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe
Size

601KB
MD5

1c75af06fed42c673ab69aa48063040a
SHA1

2011344f404ee41a3769d476d5443c05c1a80c87
SHA256

4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9
SHA512

ed8b3898182cb5b008e8d1a4fa7b0f84a15245ab602d2325c19a17a9a6d95009c6ebccdddce98a254b3cb48acd406fd03708159a07eff3b11c75a304307d12d0
SSDEEP

6144:EYM2tZrIHSGn6MCInzvZEgpEIQIl4yLA8bBHP4+m46RtHK0:EIrIHFnfCyhEqll4wAJ+mXRtHp

Score

10^/10

asyncrat stormkitty default discovery execution persistence phishing privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5048659266:AAFJQRcRFhUzXFoT4Bj40d1LFuM0IyNZ7y4/sendMessage?chat_id=5038570348

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3204-40-0x00000000022C0000-0x00000000022F2000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3204-40-0x00000000022C0000-0x00000000022F2000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4356	powershell.exe
244	powershell.exe

A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024121085558PMSystemWindows10Pro64BitUsernameAdminCompNameYQRLKYONLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.0.100ExternalIP181.215.176.83BSSID36fc6a1b5805DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe

Executes dropped EXE 1 IoCs

pid	Process
3204	SearchApp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SearchApp.exe
File opened for modification	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	SearchApp.exe
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	SearchApp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	discord.com
9	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
26	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3944	cmd.exe
284	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SearchApp.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
820	timeout.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4356	powershell.exe
4356	powershell.exe
244	powershell.exe
244	powershell.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe
3204	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe
Token: SeBackupPrivilege	2888	vssvc.exe
Token: SeRestorePrivilege	2888	vssvc.exe
Token: SeAuditPrivilege	2888	vssvc.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	3204	SearchApp.exe
Token: SeDebugPrivilege	3204	SearchApp.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 4356	1764	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	86
PID 1764 wrote to memory of 4356	1764	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	86
PID 1764 wrote to memory of 244	1764	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	88
PID 1764 wrote to memory of 244	1764	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	88
PID 1764 wrote to memory of 548	1764	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	91
PID 1764 wrote to memory of 548	1764	4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe	91
PID 548 wrote to memory of 820	548	cmd.exe	93
PID 548 wrote to memory of 820	548	cmd.exe	93
PID 3204 wrote to memory of 3944	3204	SearchApp.exe	100
PID 3204 wrote to memory of 3944	3204	SearchApp.exe	100
PID 3944 wrote to memory of 4872	3944	cmd.exe	102
PID 3944 wrote to memory of 4872	3944	cmd.exe	102
PID 3944 wrote to memory of 284	3944	cmd.exe	103
PID 3944 wrote to memory of 284	3944	cmd.exe	103
PID 3944 wrote to memory of 304	3944	cmd.exe	104
PID 3944 wrote to memory of 304	3944	cmd.exe	104
PID 3204 wrote to memory of 3024	3204	SearchApp.exe	105
PID 3204 wrote to memory of 3024	3204	SearchApp.exe	105
PID 3024 wrote to memory of 404	3024	cmd.exe	107
PID 3024 wrote to memory of 404	3024	cmd.exe	107
PID 3024 wrote to memory of 3500	3024	cmd.exe	108
PID 3024 wrote to memory of 3500	3024	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe
"C:\Users\Admin\AppData\Local\Temp\4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDE3A.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Users\Admin\AppData\Roaming\SearchApp.exe
C:\Users\Admin\AppData\Roaming\SearchApp.exe
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4872
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:284
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:304
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:404
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

3

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\System\Process.txt

Filesize
4KB

MD5
984175f91608b49a137652632e9585a4

SHA1
0ad3fc38b5d0057afaa9a836631d256c3a28b89f

SHA256
9b542e3383256e3e5aea10a03354aad42a22b852fd4b24bdf48fc4d142ba42d0

SHA512
1056c826debd01b5ba5776168c980f9993de7410a5935387409b68f1a3e0bde797db3f59525695dd5d1426b793870c02e44b8f4b75d7c19487334a76790b02e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h5tre13m.npu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE3A.tmp.bat

Filesize
216B

MD5
423725b4a96e0a19180fbd25442b5695

SHA1
1b8bfd44d262ca5f7895fac7c8344b0e304c5109

SHA256
3c0a0d6eaeddfe0dd2e4bbe5f71bc04cd1b9a7090f94da77d4dee397383bb54a

SHA512
ba9ef9d5a4b9d5ef4dbeb5012b1163d892386f2dc1d91f73d6d1bcfeeee3a2e7d5a1b28ed434962d0c03b554cf6a1925c38bcddc72549a3e2e3800f31bb63e05

Download Submit
C:\Users\Admin\AppData\Local\e2745604ba35f1f2c194cf2fad9269a1\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Roaming\SearchApp.exe

Filesize
601KB

MD5
1c75af06fed42c673ab69aa48063040a

SHA1
2011344f404ee41a3769d476d5443c05c1a80c87

SHA256
4d48e70d74b24b3b4d88cba4765cf0098ddcf01278a58933ef432639141571b9

SHA512
ed8b3898182cb5b008e8d1a4fa7b0f84a15245ab602d2325c19a17a9a6d95009c6ebccdddce98a254b3cb48acd406fd03708159a07eff3b11c75a304307d12d0

Download Submit
memory/1764-37-0x00007FFFE13C0000-0x00007FFFE1E81000-memory.dmp

Filesize
10.8MB

Download
memory/1764-36-0x000000001BC20000-0x000000001BE2C000-memory.dmp

Filesize
2.0MB

Download
memory/1764-0-0x00007FFFE13C3000-0x00007FFFE13C5000-memory.dmp

Filesize
8KB

Download
memory/1764-2-0x00007FFFE13C0000-0x00007FFFE1E81000-memory.dmp

Filesize
10.8MB

Download
memory/1764-1-0x0000000000010000-0x00000000000AC000-memory.dmp

Filesize
624KB

Download
memory/3204-40-0x00000000022C0000-0x00000000022F2000-memory.dmp

Filesize
200KB

Download
memory/3204-190-0x000000001AEA0000-0x000000001AEAA000-memory.dmp

Filesize
40KB

Download
memory/4356-17-0x00007FFFE13C0000-0x00007FFFE1E81000-memory.dmp

Filesize
10.8MB

Download
memory/4356-14-0x0000026AEB0A0000-0x0000026AEB0C2000-memory.dmp

Filesize
136KB

Download
memory/4356-4-0x00007FFFE13C0000-0x00007FFFE1E81000-memory.dmp

Filesize
10.8MB

Download
memory/4356-3-0x00007FFFE13C0000-0x00007FFFE1E81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads