Overview

overview

10

Static

static

10

2024-12-16...er.exe

windows7-x64

10

2024-12-16...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 03:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-16_3319633e286dc7e8f4404f9843054947_asyncrat_avoslocker_luca-stealer.exe

  • Size

    1020KB

  • MD5

    3319633e286dc7e8f4404f9843054947

  • SHA1

    d457424e6cd08e833bee4074044ec95a25b87e62

  • SHA256

    9e0ef658fa66e572a25e81d23bef38b6dfba48d47fd6aa8f890ae793637a9d46

  • SHA512

    b2dd78ef51b2dce34b13ad6aaf32c89b51d90a5ec8204ee4ea4f4088349d00fe23430052f40a4feb1098c7349a7d428922a65a894fbc3ecfb98c94f30dc43684

  • SSDEEP

    24576:4gQ7wCw8QIxgAjwYhWaM8hYFSOKb1WQIVrgfbcT:o7wCwKxgAUYhWaM8hYI/IVczcT

Score
10/10
asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5607633317:AAF7mJZ9cSjvqBGaPWCjQmtzSkwptz0mlo0/sendMessage?chat_id=5773399182
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Stormkitty family
    stormkitty
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-16_3319633e286dc7e8f4404f9843054947_asyncrat_avoslocker_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-16_3319633e286dc7e8f4404f9843054947_asyncrat_avoslocker_luca-stealer.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\LocalWceiaSCNvc.exe
      "C:\Users\Admin\AppData\LocalWceiaSCNvc.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1740
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:1984
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2836
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:3016
    • C:\Users\Admin\AppData\LocalIxzqApCJ_q.exe
      "C:\Users\Admin\AppData\LocalIxzqApCJ_q.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalIxzqApCJ_q.exe
    Filesize

    684KB

    MD5

    5272af9180ef3c65c8137eb8a22b6115

    SHA1

    64b70bc690a39f0a6f9e2ef3b38345047ebbc44f

    SHA256

    0b8b1d961c54991269efcfb1472eea3609f8fc415937c873cf614780d59b2da7

    SHA512

    66263b0b3e85f377dc6b66662fb5cea23d2487fae0d35bc32968dd12e72c9a16925716ee13c7b44fb26371291ecacaa1f04df522262db186bede9f8b3d6e61ef

    Download Submit

  • C:\Users\Admin\AppData\LocalWceiaSCNvc.exe
    Filesize

    170KB

    MD5

    b9f6fd7922374399afdaffe496141a14

    SHA1

    bfcb2058efc283bf942d4a5dc6c22bf7762992ff

    SHA256

    55124459b145d79593dd1b6db2be7ccee7ca6df9643a20d398cf53d690a908c7

    SHA512

    60db5c1baa61bd4f8c5354c8168f221c1c052ab0f249febfa05e28763228b80978065a8c57d8d530098514c51745a2d56798e8f0c4e1c6890970eca00d7c2c3d

    Download Submit

  • C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\msgid.dat
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • memory/2304-14-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-15-0x0000000000E70000-0x0000000000EA0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2304-89-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-0-0x000007FEF56EE000-0x000007FEF56EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-2-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2600-13-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2600-16-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

    Filesize

    9.6MB

    Download