asyncrat | 09bba91a3346b026387e05f996f39b76e6c0e36596626640d436ee21c08acfe5

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creative_Brift_Marketing/Potential products want to increase sales/job.ps1
Size

30.6MB
MD5

f01f7141f5dcb2161ee0701949f91e70
SHA1

28d2427ee1cd5f4c2a17f020bfaea95daece07d6
SHA256

68225e21f08b08bd1890e8e0a5d1b379cd9692a2c4a43bffd7ea6bee5e5b409d
SHA512

6cd177e2d4b385365eb9f549d2f869f1a40483e1c8a4fe0655146c7ca28090cdf14ac9c2a8a1cb7c385f6f824fe2da422b1714cb2ca851a0d1a18cb3be2a31e1
SSDEEP

49152:/0p9Wz0S8ygXipUpxf2H21a1RFvpB8ciXBXsdO6QKUP+Vzfcw3S6T3G4n/1kbC9z:5

Score

10^/10

asyncrat stormkitty discovery execution persistence rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral3/memory/2168-53-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral3/memory/2168-54-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral3/memory/2168-55-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Executes dropped EXE 1 IoCs

pid	Process
1896	ChromeServices.exe

Loads dropped DLL 3 IoCs

pid	Process
2892	powershell.exe
2236	Process not Found
1896	ChromeServices.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeServices = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\ChromeServices\" \"C:\\Users\\Public\\Downloads\\ChromeServices\\ChromeServices.exe\""	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 2168	1896	ChromeServices.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2892	powershell.exe
2892	powershell.exe
2892	powershell.exe
2892	powershell.exe
2892	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2168	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	2168	AddInProcess32.exe
Token: SeSecurityPrivilege	2168	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	2168	AddInProcess32.exe
Token: SeLoadDriverPrivilege	2168	AddInProcess32.exe
Token: SeSystemProfilePrivilege	2168	AddInProcess32.exe
Token: SeSystemtimePrivilege	2168	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	2168	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	2168	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	2168	AddInProcess32.exe
Token: SeBackupPrivilege	2168	AddInProcess32.exe
Token: SeRestorePrivilege	2168	AddInProcess32.exe
Token: SeShutdownPrivilege	2168	AddInProcess32.exe
Token: SeDebugPrivilege	2168	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	2168	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	2168	AddInProcess32.exe
Token: SeUndockPrivilege	2168	AddInProcess32.exe
Token: SeManageVolumePrivilege	2168	AddInProcess32.exe
Token: 33	2168	AddInProcess32.exe
Token: 34	2168	AddInProcess32.exe
Token: 35	2168	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	2168	AddInProcess32.exe
Token: SeSecurityPrivilege	2168	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	2168	AddInProcess32.exe
Token: SeLoadDriverPrivilege	2168	AddInProcess32.exe
Token: SeSystemProfilePrivilege	2168	AddInProcess32.exe
Token: SeSystemtimePrivilege	2168	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	2168	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	2168	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	2168	AddInProcess32.exe
Token: SeBackupPrivilege	2168	AddInProcess32.exe
Token: SeRestorePrivilege	2168	AddInProcess32.exe
Token: SeShutdownPrivilege	2168	AddInProcess32.exe
Token: SeDebugPrivilege	2168	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	2168	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	2168	AddInProcess32.exe
Token: SeUndockPrivilege	2168	AddInProcess32.exe
Token: SeManageVolumePrivilege	2168	AddInProcess32.exe
Token: 33	2168	AddInProcess32.exe
Token: 34	2168	AddInProcess32.exe
Token: 35	2168	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2712	AcroRd32.exe
2712	AcroRd32.exe
2712	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2712	2892	powershell.exe	31
PID 2892 wrote to memory of 2712	2892	powershell.exe	31
PID 2892 wrote to memory of 2712	2892	powershell.exe	31
PID 2892 wrote to memory of 2712	2892	powershell.exe	31
PID 2892 wrote to memory of 1896	2892	powershell.exe	32
PID 2892 wrote to memory of 1896	2892	powershell.exe	32
PID 2892 wrote to memory of 1896	2892	powershell.exe	32
PID 1896 wrote to memory of 2168	1896	ChromeServices.exe	34
PID 1896 wrote to memory of 2168	1896	ChromeServices.exe	34
PID 1896 wrote to memory of 2168	1896	ChromeServices.exe	34
PID 1896 wrote to memory of 2168	1896	ChromeServices.exe	34
PID 1896 wrote to memory of 2168	1896	ChromeServices.exe	34
PID 1896 wrote to memory of 2168	1896	ChromeServices.exe	34
PID 1896 wrote to memory of 2168	1896	ChromeServices.exe	34
PID 1896 wrote to memory of 2168	1896	ChromeServices.exe	34
PID 1896 wrote to memory of 2168	1896	ChromeServices.exe	34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Creative_Brift_Marketing\Potential products want to increase sales\job.ps1"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Creative Brift Marketing Sneaker Daily Deal.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2712
- C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe
  "C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5d6edd92d27f13e95dc892cbeaf914b7

SHA1
b655d3924c1a9f43ac067accdf563eaee17dadd8

SHA256
365e1e2b211211e256cd1ad27919cb178d0eb026285365b1ead5383ff2142934

SHA512
9bdf0b7a238c64dee8d07e680b3d2e24dc0e59b6872658e74f7cd266c7778a7df5f853de62070fe55e780dfe3cf1b0ddbf17a229c7a5f7377b7a0340d1c3149d

Download Submit
C:\Users\Admin\Downloads\Creative Brift Marketing Sneaker Daily Deal.pdf

Filesize
91KB

MD5
897417cce1edbd4222c6c8c5e0f1f7c8

SHA1
c52b4982eecbcc5e5491fac2aaf4d2fbbda1335c

SHA256
28b4bdc732553037551c304fe459634011011be7dcc4ed81979d4a07647e7cc8

SHA512
63b484dfc9ecaa485c666ec463113e1a5fa608283e993a1761d1ed905634602090339e68ea9e87616ed7c3a645538ba0d9e50427e62a4b646558bc57122cd4e5

Download Submit
C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe

Filesize
67KB

MD5
d82b8f0cb601039af7c1968b0c92d09f

SHA1
b0105f082e10791e6703abbc064904be073dc79b

SHA256
962c0f879de9a12a78ea81536e7223ec7a7c8a9d5828871b6fdd26e649401755

SHA512
be063f8590951e8d4b6f1e69cac57a95d90d3ab96576545afe4141979d376c322047d0b73169140b22ef6d24a7e9c5b4fe09771a4fedfd36ce544befafa65e33

Download Submit
C:\Users\Public\Downloads\ChromeServices\concrt140e.dll

Filesize
3.0MB

MD5
aab7a3b67b71bf0439627158323b502e

SHA1
db7eae4731c4749d21c6cc54a364bcf20c04934c

SHA256
39c9693c36f38a1b691eb3584c18f8550c08eb6a983c46cd46b476c8126ce8cc

SHA512
543fbb82d5e73c3df0dd19f4b71a2c19b78b3250192be5c1191a0c4d53348ca84fd975dbc938226b67a1aab9dcdeb2aa16eb8c39982215aef2bb6f857f2cf162

Download Submit
C:\Users\Public\Downloads\ChromeServices\libpsl-5.dll

Filesize
2.8MB

MD5
ebcf17abb78a21d5f3904c00a60e1e0a

SHA1
ec6525d3de6ebd4eedb8193707f24aba232581d7

SHA256
1099a52ceec00e3db7f704c5f0cea8c23af02490ade25243b7c90f1e870c2614

SHA512
5b965213f03406a22d9ffcfd18a716fee8851ca366960b888631f695fc74daf9dc33276004f00ef6df5ec5513a7409446d1104dbb3c872e614efbf2cdbd04fbd

Download Submit
memory/1896-56-0x000000013FC30000-0x000000013FC44000-memory.dmp

Filesize
80KB

Download
memory/2168-55-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2168-54-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2168-53-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2892-41-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-4-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

Filesize
4KB

Download
memory/2892-42-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

Filesize
4KB

Download
memory/2892-11-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-10-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-9-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-51-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2892-5-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2892-6-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2892-7-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download