Analysis
-
max time kernel
54s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
14-12-2024 19:06
General
-
Target
e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
-
Size
807KB
-
MD5
4b8e7f6468b4a846bfef152f20ad625c
-
SHA1
de6aba8a287228b428e40decb325c45fbe66c1ee
-
SHA256
e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096
-
SHA512
3280848a0fc1bfb29a0ed5e1a913f04d463a8b06039e02b5c88230ab5717059e0f1cb974d0bdb86643595b0640c16dbcf14e10eaf44b0bd1204b9375f9a58f80
-
SSDEEP
6144:iSncRl5sSeGlR9o1Re8XN6W8mmHPtppXPSi9b4fcSncRlrBoLp7ua9Q:P4IGlR9o1RrN6qatppXPm4RBYEa
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7557878970:AAGK-77Z__cCdoMjeFBTGoWLVAg2XPHco-I/sendMessage?chat_id=8178371083
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe"C:\Users\Admin\AppData\Local\Temp\e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PROXYCHECKER-MASTERZ8.EXE"C:\Users\Admin\AppData\Local\Temp\PROXYCHECKER-MASTERZ8.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE"C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE"C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfcd946f8,0x7ffcfcd94708,0x7ffcfcd947184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6659716377575013873,17477242276603460559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:14⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
4KB
MD56e10c01d21678b229937f00883ff6764
SHA18353c1cb1baeb1f99b5f4997ea2ad10c78bf9ee7
SHA25699686c55bcc099e4b00168484f1a014aed57e19274bac1df18a4a59dd5863e65
SHA5128ef16b311d05d0c34156a3c0634ee0b320db9c15a4a41f6d300785194b0afdf5d8957ac3ca4a9d577b6511b9c8c957926415f5022be425e3e091470e8fd55dba
-
Filesize
4B
MD5a5fdfa672284da6bf4f4326e2b3698bd
SHA1df66df636bd528fbd5c52038dd6917a7a8b1f805
SHA25677c53fd8faa9cd5a5b83136dbeba99155f5b9c5ef7098bf700d20cfe18e20219
SHA5120493a58c92c005ca6ac9612eb1ee4aa49172a8d1938d6e0b3151331531a6c56d2d3aba4d9ad8699895110f111aef420dca85bdb3bf5dfe6cd6c4e7de5cbd80ed
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
6KB
MD5329200d4d03bf5f13d3fbf9cfde141de
SHA1657c83724f2eace1b7d86b9928797888c63ef618
SHA256ab460b727ad50575e012128615d243cdc204f51ee57e19b97c29e4ae37115856
SHA512e6ae7fcba446e89b68672638431819bf7bbe5a8c25cd0d651692646a8543085d015cee14c73c907ba20b28ff3f745ab897c1cc7d3a51465d1c89fc3aafc2f6f4
-
Filesize
5KB
MD5aaf6624c6d1692695f205e333686a485
SHA16423dd3914f7bd42daa4dd837771eeecdd7c8e7a
SHA25647a45564225c2244476644b76c4c47c183289e575c8f86b419b90961af41744d
SHA5125c57aa3556e8fa37e44b8b0a59eb90b436fdce603a5e8db4d6343668ec8815e8040db1155eca37c123a49db8bbeefc088cefdcebe11da45ebbc9aaa6b056510d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD526dd28229d9557f61faa4830e1fff450
SHA1a97cae2fe9654835205daac7354de8d17aeb11b6
SHA2560aae18874459095d64aa728c4135fa6d76760831e40a9a72ae3782962b484567
SHA512e86723627dd5fe992ff7fc5532a63ab1c57e0a514ddb08991ffa3e9c166cf27452d7eb25768b4eb937f9fed1ec59bce9fd6df96da4aad3b783943002acabff3a
-
Filesize
65KB
MD5047b902ab5e9a317eef11e6dcf4cfa8d
SHA1e4212a9c195b85fd3409cd7dbba80dac9f66abfd
SHA256e023315bebd54dbf73c6e2e92466edb8cc108e2c8b0658f3762d32447f6fd553
SHA512900dcbe105b4b899afa9cfa92de0aa37bb05ad11fc425bb53ad6d3ed8dcebc9b6b67e2060fca78bddffb206c34fa5ebfe5fbf20996cfac0cc5aba7b1d5cf48fa
-
Filesize
170KB
MD52e7cb0a4c91b31337f17742a2f73aaf7
SHA108b2db3956a4af5671d374f62e753fdbeeb94d36
SHA256c92ccebe416798a16a22f1f45978df59988b4219d118eb9d2100fabe2eb78c3b
SHA5127487c1f068a3edf4ae74f08a27fde66888703b3ee5883f88774e477c7b645eff1b6a950354f391239aca82a5cf0b9d28a1ad8adbac4159cfd92dc31fa34fbcb2
-
Filesize
466KB
MD5f9035161bd488986f5bac378372168cf
SHA17e6ceaffefb0529e72c1ded8c3b98230e85e2842
SHA25617677889889bf300ebceb7b998ffef915ce1d7ae74ba106783afb569c8ec92d4
SHA512cf1a25f5f728a4145e5f64c0f14f87beb5e6da8de8647330eb9322e9f4f15e0cb9b1f2d3aae72221e8359f747621d273f67755babf04dc8270122c273dd1da85
-
Filesize
519KB
MD57c908443c3e7c8713df4d3482adc6a89
SHA1545145ded60fd817d329062b6df4e12818c530d3
SHA256f06f72d8206e8476e7bf3261b18d19a6ddd7e02aed0b69cc932c261a9da2b620
SHA51276d90435d08992ac4343f4b1cb01944f2713dc67691bb7038643fc8b05f73bed75515a4d1000a6e44ad2c2a37508af7128c4e50b8c3064e0786e84099903c951
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
24KB
-
Filesize
7.7MB
-
Filesize
7.7MB