asyncrat | 68225e21f08b08bd1890e8e0a5d1b379cd9692a2c4a43bffd7ea6bee5e5b409d

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68225e21f08b08bd1890e8e0a5d1b379cd9692a2c4a43bffd7ea6bee5e5b409d.ps1
Size

30.6MB
MD5

f01f7141f5dcb2161ee0701949f91e70
SHA1

28d2427ee1cd5f4c2a17f020bfaea95daece07d6
SHA256

68225e21f08b08bd1890e8e0a5d1b379cd9692a2c4a43bffd7ea6bee5e5b409d
SHA512

6cd177e2d4b385365eb9f549d2f869f1a40483e1c8a4fe0655146c7ca28090cdf14ac9c2a8a1cb7c385f6f824fe2da422b1714cb2ca851a0d1a18cb3be2a31e1
SSDEEP

49152:/0p9Wz0S8ygXipUpxf2H21a1RFvpB8ciXBXsdO6QKUP+Vzfcw3S6T3G4n/1kbC9z:5

Score

10^/10

asyncrat stormkitty discovery execution persistence rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral1/memory/2588-50-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2588-52-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2588-51-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Executes dropped EXE 1 IoCs

pid	Process
2324	ChromeServices.exe

Loads dropped DLL 3 IoCs

pid	Process
868	powershell.exe
1164	Process not Found
2324	ChromeServices.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeServices = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\ChromeServices\" \"C:\\Users\\Public\\Downloads\\ChromeServices\\ChromeServices.exe\""	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2588	2324	ChromeServices.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
868	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
868	powershell.exe
868	powershell.exe
868	powershell.exe
868	powershell.exe
868	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1948	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2588	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	2588	AddInProcess32.exe
Token: SeSecurityPrivilege	2588	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	2588	AddInProcess32.exe
Token: SeLoadDriverPrivilege	2588	AddInProcess32.exe
Token: SeSystemProfilePrivilege	2588	AddInProcess32.exe
Token: SeSystemtimePrivilege	2588	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	2588	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	2588	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	2588	AddInProcess32.exe
Token: SeBackupPrivilege	2588	AddInProcess32.exe
Token: SeRestorePrivilege	2588	AddInProcess32.exe
Token: SeShutdownPrivilege	2588	AddInProcess32.exe
Token: SeDebugPrivilege	2588	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	2588	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	2588	AddInProcess32.exe
Token: SeUndockPrivilege	2588	AddInProcess32.exe
Token: SeManageVolumePrivilege	2588	AddInProcess32.exe
Token: 33	2588	AddInProcess32.exe
Token: 34	2588	AddInProcess32.exe
Token: 35	2588	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	2588	AddInProcess32.exe
Token: SeSecurityPrivilege	2588	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	2588	AddInProcess32.exe
Token: SeLoadDriverPrivilege	2588	AddInProcess32.exe
Token: SeSystemProfilePrivilege	2588	AddInProcess32.exe
Token: SeSystemtimePrivilege	2588	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	2588	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	2588	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	2588	AddInProcess32.exe
Token: SeBackupPrivilege	2588	AddInProcess32.exe
Token: SeRestorePrivilege	2588	AddInProcess32.exe
Token: SeShutdownPrivilege	2588	AddInProcess32.exe
Token: SeDebugPrivilege	2588	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	2588	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	2588	AddInProcess32.exe
Token: SeUndockPrivilege	2588	AddInProcess32.exe
Token: SeManageVolumePrivilege	2588	AddInProcess32.exe
Token: 33	2588	AddInProcess32.exe
Token: 34	2588	AddInProcess32.exe
Token: 35	2588	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1948	AcroRd32.exe
1948	AcroRd32.exe
1948	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 1948	868	powershell.exe	32
PID 868 wrote to memory of 1948	868	powershell.exe	32
PID 868 wrote to memory of 1948	868	powershell.exe	32
PID 868 wrote to memory of 1948	868	powershell.exe	32
PID 868 wrote to memory of 2324	868	powershell.exe	33
PID 868 wrote to memory of 2324	868	powershell.exe	33
PID 868 wrote to memory of 2324	868	powershell.exe	33
PID 2324 wrote to memory of 2588	2324	ChromeServices.exe	35
PID 2324 wrote to memory of 2588	2324	ChromeServices.exe	35
PID 2324 wrote to memory of 2588	2324	ChromeServices.exe	35
PID 2324 wrote to memory of 2588	2324	ChromeServices.exe	35
PID 2324 wrote to memory of 2588	2324	ChromeServices.exe	35
PID 2324 wrote to memory of 2588	2324	ChromeServices.exe	35
PID 2324 wrote to memory of 2588	2324	ChromeServices.exe	35
PID 2324 wrote to memory of 2588	2324	ChromeServices.exe	35
PID 2324 wrote to memory of 2588	2324	ChromeServices.exe	35

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\68225e21f08b08bd1890e8e0a5d1b379cd9692a2c4a43bffd7ea6bee5e5b409d.ps1
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Creative Brift Marketing Sneaker Daily Deal.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1948
- C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe
  "C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4e43fcf3a53017f0c0f1f50f2dba1c70

SHA1
dbcbf21048f1c2d3ebd67cf70d5e6ab2fdac4dfe

SHA256
1dc4dad27895c891f8285bdcaad772f4e9a6afbef3a6a48570a4a8d29b2446e3

SHA512
468521acd91ef8930590f468073a519ecdff7cc91f75fd2938c9dc1e31720a3a4730d3c62a3d0bc20be0798fed59ae355617362e084ee58877e153e6e533c7ff

Download Submit
C:\Users\Admin\Downloads\Creative Brift Marketing Sneaker Daily Deal.pdf

Filesize
91KB

MD5
897417cce1edbd4222c6c8c5e0f1f7c8

SHA1
c52b4982eecbcc5e5491fac2aaf4d2fbbda1335c

SHA256
28b4bdc732553037551c304fe459634011011be7dcc4ed81979d4a07647e7cc8

SHA512
63b484dfc9ecaa485c666ec463113e1a5fa608283e993a1761d1ed905634602090339e68ea9e87616ed7c3a645538ba0d9e50427e62a4b646558bc57122cd4e5

Download Submit
C:\Users\Public\Downloads\ChromeServices\concrt140e.dll

Filesize
3.0MB

MD5
aab7a3b67b71bf0439627158323b502e

SHA1
db7eae4731c4749d21c6cc54a364bcf20c04934c

SHA256
39c9693c36f38a1b691eb3584c18f8550c08eb6a983c46cd46b476c8126ce8cc

SHA512
543fbb82d5e73c3df0dd19f4b71a2c19b78b3250192be5c1191a0c4d53348ca84fd975dbc938226b67a1aab9dcdeb2aa16eb8c39982215aef2bb6f857f2cf162

Download Submit
C:\Users\Public\Downloads\ChromeServices\libpsl-5.dll

Filesize
2.8MB

MD5
ebcf17abb78a21d5f3904c00a60e1e0a

SHA1
ec6525d3de6ebd4eedb8193707f24aba232581d7

SHA256
1099a52ceec00e3db7f704c5f0cea8c23af02490ade25243b7c90f1e870c2614

SHA512
5b965213f03406a22d9ffcfd18a716fee8851ca366960b888631f695fc74daf9dc33276004f00ef6df5ec5513a7409446d1104dbb3c872e614efbf2cdbd04fbd

Download Submit
\Users\Public\Downloads\ChromeServices\ChromeServices.exe

Filesize
67KB

MD5
d82b8f0cb601039af7c1968b0c92d09f

SHA1
b0105f082e10791e6703abbc064904be073dc79b

SHA256
962c0f879de9a12a78ea81536e7223ec7a7c8a9d5828871b6fdd26e649401755

SHA512
be063f8590951e8d4b6f1e69cac57a95d90d3ab96576545afe4141979d376c322047d0b73169140b22ef6d24a7e9c5b4fe09771a4fedfd36ce544befafa65e33

Download Submit
memory/868-5-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/868-10-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/868-9-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/868-7-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/868-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/868-11-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/868-8-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/868-4-0x000007FEF5D1E000-0x000007FEF5D1F000-memory.dmp

Filesize
4KB

Download
memory/868-49-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-54-0x000000013F720000-0x000000013F734000-memory.dmp

Filesize
80KB

Download
memory/2588-50-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2588-52-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2588-51-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download