asyncrat | 1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9

General

Target

vfdjo.exe
Size

35KB
MD5

a03f28f2c0bf87d438a28e815d4b458a
SHA1

60627893ce5e918c9b3dbe146f1b577f630129b5
SHA256

1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9
SHA512

7ee6455f78cca337042521d024cdd4a54903e0b2276588b400fc9043354df28ca9cf0c9244028656c2e5e44e9f4889288aaa72e6d4ddb101380fb24d95727738
SSDEEP

768:deBwuYH/uhx4yQF1F5e2nTesOhCZC3JtdkrDNxHloAnOT+k0uvN:dwwV2IfjeOOhCkmBlS+knN

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2168-17-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 912 set thread context of 2168	912	vfdjo.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vfdjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2168	RegAsm.exe
2168	RegAsm.exe
2168	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	vfdjo.exe
Token: SeDebugPrivilege	2168	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2168	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 2412	912	vfdjo.exe	82
PID 912 wrote to memory of 2412	912	vfdjo.exe	82
PID 912 wrote to memory of 2412	912	vfdjo.exe	82
PID 2412 wrote to memory of 1048	2412	csc.exe	84
PID 2412 wrote to memory of 1048	2412	csc.exe	84
PID 2412 wrote to memory of 1048	2412	csc.exe	84
PID 912 wrote to memory of 2168	912	vfdjo.exe	85
PID 912 wrote to memory of 2168	912	vfdjo.exe	85
PID 912 wrote to memory of 2168	912	vfdjo.exe	85
PID 912 wrote to memory of 2168	912	vfdjo.exe	85
PID 912 wrote to memory of 2168	912	vfdjo.exe	85
PID 912 wrote to memory of 2168	912	vfdjo.exe	85
PID 912 wrote to memory of 2168	912	vfdjo.exe	85
PID 912 wrote to memory of 2168	912	vfdjo.exe	85

C:\Users\Admin\AppData\Local\Temp\vfdjo.exe
"C:\Users\Admin\AppData\Local\Temp\vfdjo.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c4rogpjw\c4rogpjw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B07.tmp" "c:\Users\Admin\AppData\Local\Temp\c4rogpjw\CSC652932419185486AB2E6CCF067BCD3D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B07.tmp

Filesize
1KB

MD5
2170285237a59c2e26bdcba33cf8d24b

SHA1
ff677a5d7e286aadfc47171382ba2e0b2479f040

SHA256
f78adae748cd5b266510fb41d03d2bd7dd77f8faf1eb23be6478f60d4ce83afe

SHA512
61f5d159efa7acd557d662bf4ec9459111f1d86941d088d893fbe7479b1e0013782708b044739ec0d8dc4df5f4871a53b6bdda17632ae5a9e1853fd35dcecfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4rogpjw\c4rogpjw.dll

Filesize
9KB

MD5
29e49449aaa7e8d2b2d74f7d97eea51d

SHA1
6b1ff76b462cc5a54475ca017404d5d91637f2b9

SHA256
e35459123e73a3cc5c11cb766c540b6c5f926886a990f6a5a2df7390451af9fc

SHA512
8397ac406ecb46819ad9b85f60d7862f418b3f2d318ecd0207ccfcda93c4a6d22668ff366f5587f5230636aa600514dcb2e8e9779178cd1421571b284c1df15e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c4rogpjw\CSC652932419185486AB2E6CCF067BCD3D.TMP

Filesize
652B

MD5
786c72190a5aa231636d05340553989b

SHA1
6071e15766c273c36a3cc2cdb4972d548213bc08

SHA256
2395f8bd89318d4e79541b7572368ad41d54e73a914c3b4757adc99f4b8377b2

SHA512
548e90541a0953025b182ff122faf7389d60f48fe2b191f8eae2d6523e174595503162040ee5f15616f20c4a7c6bec24703783d4bc97b784dd5c318ed04c2b1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c4rogpjw\c4rogpjw.0.cs

Filesize
10KB

MD5
b5c3a2d03ff4c721192716f326c77dea

SHA1
6b754fd988ca58865674b711aba76d3c6b2c5693

SHA256
ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac

SHA512
d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c4rogpjw\c4rogpjw.cmdline

Filesize
204B

MD5
960c44561826b21036131020541d9bec

SHA1
a16c44e9ba26879686cfe750656d8205e92cb4ca

SHA256
5af7adc5681e32d163f889051aeaa76be7c98c07fc77f21c44feca12b1f8a889

SHA512
91631277bd09c06ba438a49251820d56243c28fa6b40e51c9d002bdf68e3cffb0f25720f879860a3ef9e5fa37ce3421cca1c9d322057025d4bbb1e652c6691e9

Download Submit
memory/912-19-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/912-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/912-5-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/912-15-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/912-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/2168-21-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/2168-28-0x0000000006960000-0x00000000069C6000-memory.dmp

Filesize
408KB

Download
memory/2168-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2168-22-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2168-23-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/2168-24-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/2168-27-0x00000000068C0000-0x000000000695C000-memory.dmp

Filesize
624KB

Download
memory/2168-20-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2168-29-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2168-30-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

Filesize
136KB

Download
memory/2168-31-0x0000000006D00000-0x0000000007054000-memory.dmp

Filesize
3.3MB

Download
memory/2168-32-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2168-33-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2168-34-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing