asyncrat | 1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9

General

Target

vfdjo.exe
Size

35KB
MD5

a03f28f2c0bf87d438a28e815d4b458a
SHA1

60627893ce5e918c9b3dbe146f1b577f630129b5
SHA256

1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9
SHA512

7ee6455f78cca337042521d024cdd4a54903e0b2276588b400fc9043354df28ca9cf0c9244028656c2e5e44e9f4889288aaa72e6d4ddb101380fb24d95727738
SSDEEP

768:deBwuYH/uhx4yQF1F5e2nTesOhCZC3JtdkrDNxHloAnOT+k0uvN:dwwV2IfjeOOhCkmBlS+knN

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/2820-28-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2820-22-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2820-24-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2820-21-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2820-26-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2436 set thread context of 2820	2436	vfdjo.exe	35

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vfdjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2436	vfdjo.exe
2436	vfdjo.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe
2820	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	vfdjo.exe
Token: SeDebugPrivilege	2820	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2820	RegAsm.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2712	2436	vfdjo.exe	31
PID 2436 wrote to memory of 2712	2436	vfdjo.exe	31
PID 2436 wrote to memory of 2712	2436	vfdjo.exe	31
PID 2436 wrote to memory of 2712	2436	vfdjo.exe	31
PID 2712 wrote to memory of 2716	2712	csc.exe	33
PID 2712 wrote to memory of 2716	2712	csc.exe	33
PID 2712 wrote to memory of 2716	2712	csc.exe	33
PID 2712 wrote to memory of 2716	2712	csc.exe	33
PID 2436 wrote to memory of 2900	2436	vfdjo.exe	34
PID 2436 wrote to memory of 2900	2436	vfdjo.exe	34
PID 2436 wrote to memory of 2900	2436	vfdjo.exe	34
PID 2436 wrote to memory of 2900	2436	vfdjo.exe	34
PID 2436 wrote to memory of 2900	2436	vfdjo.exe	34
PID 2436 wrote to memory of 2900	2436	vfdjo.exe	34
PID 2436 wrote to memory of 2900	2436	vfdjo.exe	34
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35
PID 2436 wrote to memory of 2820	2436	vfdjo.exe	35

C:\Users\Admin\AppData\Local\Temp\vfdjo.exe
"C:\Users\Admin\AppData\Local\Temp\vfdjo.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1j220sp1\1j220sp1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2D0.tmp" "c:\Users\Admin\AppData\Local\Temp\1j220sp1\CSC89864E8F5E54B61B36A9A3A30E04541.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1j220sp1\1j220sp1.dll

Filesize
9KB

MD5
5abb2db6328875b5fad07ba2a3a4f717

SHA1
af108ae9ea698bd09f2747a39832320f1f9b8354

SHA256
7df7def79be6b9612e1c015529532c34910c5241b8303d467fa97d60ac355831

SHA512
c46c4847150ce50221322e04004ad20a0757a0c5786f2551b5f149cc9671e4f9d1ab59921916eef7cbb61efed474d4ecb9dd0e4ea0a70aeaf34b204a3e286f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFBEE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE2D0.tmp

Filesize
1KB

MD5
11f37cb4929d24c9be960c97123f53b5

SHA1
0982db0b583e2704f18ceaddf92a95084cba3f21

SHA256
71338e803a9f49b539e430f579488fec51b8ddb75975ad4a49aedee00caf494d

SHA512
dd6e7bd31d4262f66ea9a7be77b372da201a56348de99f8bf7fd23f0546effd23ce6919f29f9ba733b09d63568bfcd6e20cd687d11ef540e45a6541294e898db

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD2F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1j220sp1\1j220sp1.0.cs

Filesize
10KB

MD5
b5c3a2d03ff4c721192716f326c77dea

SHA1
6b754fd988ca58865674b711aba76d3c6b2c5693

SHA256
ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac

SHA512
d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1j220sp1\1j220sp1.cmdline

Filesize
204B

MD5
d11a3ad81fe5d35a7182dcd8338cb9b0

SHA1
5df4c17ab5a762b44aa39c89b0550ee3589d347c

SHA256
e432b79f0c257530b8920a8cbf3234ef865f9c1f783d1560d948ca9f55c0f8a5

SHA512
90d84cbf469e2ace94b83a8626f57c7e4ae55884c998810759fde4cb3e8c4272de4dc3940e6c17ce46ff4af42113df5d4e7e8c840ceeafdb3202c7753a7c6861

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1j220sp1\CSC89864E8F5E54B61B36A9A3A30E04541.TMP

Filesize
652B

MD5
34afd90d38df5bb5862e3e495fa3535a

SHA1
b1c6fb2432a2e528ac16b3ff672cc8012154a7c7

SHA256
84b9f914469880057b887e6fbf0d8077ccba066f5bf544773b2b5921fe44db7e

SHA512
44fa549f2e7a7fd109e92b6a54a08b3108721d5a87981a3f9d3a46d00aa177a368fd714caf574d35a5e5d8248e6d84f257c1ac24ac93d7c6d0a64b497c5bf520

Download Submit
memory/2436-1-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/2436-5-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2436-15-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2436-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

Filesize
4KB

Download
memory/2436-29-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2820-28-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2820-24-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2820-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2820-21-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2820-26-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2820-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2820-22-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2820-19-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing