Overview

overview

10

Static

static

1

vfrcxq.ps1

windows7-x64

8

vfrcxq.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 07:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vfrcxq.ps1

  • Size

    1KB

  • MD5

    0cdc732f0ded614eb23c08213bcf1e04

  • SHA1

    0cbca39b7b1a0ec9b930c38c1c60d50feed74ee3

  • SHA256

    7e129f68ebb1e8730941dcf50344e256bd0e32f29cac0e641426b88a17e131c6

  • SHA512

    86c92258d18f25c97215c68cd4ef09b0c1433ea9de27c00247537ea8a7c187d4428b1cb151c785d5544f17da8ba9b138ef59efd3c7f7546240bf7ae5a5b29eb7

Score
10/10
asyncratstormkittydiscoveryexecutionratstealer

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\vfrcxq.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of SetThreadContext
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vomlmksk\vomlmksk.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEBE.tmp" "c:\Users\Admin\AppData\Local\Temp\vomlmksk\CSCA04C0C6671184BC4B064F2DDF5A96A8.TMP"
        3⤵
          PID:3888
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESAEBE.tmp
      Filesize

      1KB

      MD5

      86a0b85144d91022d42166db69568783

      SHA1

      3a48aa0d17484d3f659fd6a9b28e0dd2342ed818

      SHA256

      c1e23149147f38657494e833daaa77e1f4e4de52e177b79bb75a744bc773d518

      SHA512

      b647722455b44463c03c2b1b385e39224d79c179035d87431ba8961ff8431ecc1dbeb2d5facfbd9af442e17c48b81ccb14de34c5b812cddb34082b1326f51764

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3zzs20q.5oq.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vomlmksk\vomlmksk.dll
      Filesize

      9KB

      MD5

      7909ba0edb338495b2d656f37bf9e7b1

      SHA1

      96e0222416d32ea2d573b8519bf400e1b886ecde

      SHA256

      ec1553650773852727c16b3c0666e5f4f510de7c7d944cfd580c15bf15b9063b

      SHA512

      cc89e825c1615db83b24976ef1f447297242edef33dcbde5b194bfc917eef7191c893ebb3a81e1eaaa58fbeb8594ce2a427b9f090dead160fb5b4d36b44123e4

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\vomlmksk\CSCA04C0C6671184BC4B064F2DDF5A96A8.TMP
      Filesize

      652B

      MD5

      4aac1638463548b7519f168c78c0c7e1

      SHA1

      ee2077fb9a04d29cb7a522a38f8cba6de9bf18a8

      SHA256

      1fac6879fd1538d54d1ece3f6f8223796097a2509706d045fa5e32284ba8acd9

      SHA512

      0b67a49451e1f2ad3033049b2b11beebc07bb73a2e700bce1d34f3ae9006899e2d138634a50d12492cd10e03f23ec155c381c22dc67bf8c4e2b7178ea3088472

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\vomlmksk\vomlmksk.0.cs
      Filesize

      10KB

      MD5

      b5c3a2d03ff4c721192716f326c77dea

      SHA1

      6b754fd988ca58865674b711aba76d3c6b2c5693

      SHA256

      ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac

      SHA512

      d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\vomlmksk\vomlmksk.cmdline
      Filesize

      204B

      MD5

      df14033fd5022cc4b0418427a4a7c940

      SHA1

      7a46fe5cfd86f9dab6c827ec098f018aadeda5b7

      SHA256

      2d6b73973133334567777bab98b0612d03a87e5f43fbcf0cde616a42fe338565

      SHA512

      46f3f017ea5be5047e0d521ef53f6deb3c3e047144cd065e8539d4406cff566bc99993fb9254732ea0010ea25d5fe6e8f16551786fc0b541adb96dd1182acdea

      Download Submit

    • memory/2556-33-0x0000000005AC0000-0x0000000005B52000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2556-32-0x0000000005CB0000-0x0000000006254000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2556-40-0x0000000006DC0000-0x0000000007114000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2556-39-0x0000000006D90000-0x0000000006DB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2556-38-0x0000000006A70000-0x0000000006AD6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2556-37-0x0000000006630000-0x00000000066CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2556-28-0x0000000000400000-0x0000000000704000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2556-34-0x00000000057F0000-0x00000000057FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3132-1-0x000001D9B1370000-0x000001D9B1392000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3132-0-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3132-31-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3132-26-0x000001D9B13E0000-0x000001D9B13E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3132-13-0x000001D9B13D0000-0x000001D9B13E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3132-11-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3132-12-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

      Filesize

      10.8MB

      Download