asyncrat | 1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9

General

Target

vfdjo.exe
Size

35KB
MD5

a03f28f2c0bf87d438a28e815d4b458a
SHA1

60627893ce5e918c9b3dbe146f1b577f630129b5
SHA256

1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9
SHA512

7ee6455f78cca337042521d024cdd4a54903e0b2276588b400fc9043354df28ca9cf0c9244028656c2e5e44e9f4889288aaa72e6d4ddb101380fb24d95727738
SSDEEP

768:deBwuYH/uhx4yQF1F5e2nTesOhCZC3JtdkrDNxHloAnOT+k0uvN:dwwV2IfjeOOhCkmBlS+knN

Score

10^/10

asyncrat stormkitty venomrat discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4904-17-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/4904-17-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 4904	2664	vfdjo.exe	87

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vfdjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4904	RegAsm.exe
4904	RegAsm.exe
4904	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	vfdjo.exe
Token: SeDebugPrivilege	4904	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4904	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 5004	2664	vfdjo.exe	84
PID 2664 wrote to memory of 5004	2664	vfdjo.exe	84
PID 2664 wrote to memory of 5004	2664	vfdjo.exe	84
PID 5004 wrote to memory of 988	5004	csc.exe	86
PID 5004 wrote to memory of 988	5004	csc.exe	86
PID 5004 wrote to memory of 988	5004	csc.exe	86
PID 2664 wrote to memory of 4904	2664	vfdjo.exe	87
PID 2664 wrote to memory of 4904	2664	vfdjo.exe	87
PID 2664 wrote to memory of 4904	2664	vfdjo.exe	87
PID 2664 wrote to memory of 4904	2664	vfdjo.exe	87
PID 2664 wrote to memory of 4904	2664	vfdjo.exe	87
PID 2664 wrote to memory of 4904	2664	vfdjo.exe	87
PID 2664 wrote to memory of 4904	2664	vfdjo.exe	87
PID 2664 wrote to memory of 4904	2664	vfdjo.exe	87

C:\Users\Admin\AppData\Local\Temp\vfdjo.exe
"C:\Users\Admin\AppData\Local\Temp\vfdjo.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h4ifb4jx\h4ifb4jx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85D9.tmp" "c:\Users\Admin\AppData\Local\Temp\h4ifb4jx\CSCD2F348C0A5F649FB874CAB47D4DF5F26.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES85D9.tmp

Filesize
1KB

MD5
cb4feba08d9334bf7700dfc445a9cfa7

SHA1
9d57c12b66067d279e49c665be3695f60c79f604

SHA256
0181394a2ab735f33eb2dbd79c52498c923ed47f53c7c22d384bd3f94c820630

SHA512
c380a182a64ffc6f0f56e8c60bc14d7c3e27a6af38dc99e07263b2aa61b95c80044e1f5d3c738bdbfcad4a0fb7b8182a1301ddeb62d14f7f86a5be712d1f4f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4ifb4jx\h4ifb4jx.dll

Filesize
9KB

MD5
7389320492deed3673869da282144c69

SHA1
5c54b281e7427f0fd866925b56fcaa2190fcea06

SHA256
ebb55eccbbe123235a6ce4e3a6ce9e004a4ca3641fdcc3e5cef3aa408a04e9bd

SHA512
526a19c3874f121ee9952ab99cb9b39dd9ed4396b6251841e0041925dcc7917582722d7eca868cf12f2e2bc09790925d21550f784a13e8ec2aeb80c8dff93e4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h4ifb4jx\CSCD2F348C0A5F649FB874CAB47D4DF5F26.TMP

Filesize
652B

MD5
ffcfac7f78bedd83fac8a9313673677a

SHA1
e8aced7c16eaf3a4ef249e7a410c9760701bff9a

SHA256
b056b13557bf3e148328b78a81e2af72acdac0e3f14db2f94db061983608b4fe

SHA512
dc8f6bac2263791a8f3132f19d52195dbdd84697f662af0ccf6ff849fb63b9af0f70f51b1e4488128a6e0d72043fa0767e21e8e65f12d97f3675608f53d15f1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h4ifb4jx\h4ifb4jx.0.cs

Filesize
10KB

MD5
b5c3a2d03ff4c721192716f326c77dea

SHA1
6b754fd988ca58865674b711aba76d3c6b2c5693

SHA256
ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac

SHA512
d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h4ifb4jx\h4ifb4jx.cmdline

Filesize
204B

MD5
cbebcfe9e146a4b19a43cb75ccad6712

SHA1
0b8708f57da36bbb76d6b4377ac7c72883b4432f

SHA256
ba093314ff564f7bf547037a8033fa7d915086c11474caf0928197308a08f69c

SHA512
e8d819215e66f96b9af134c5a7ebca811f0b7c8286ff8e88326533df7128da9d796c47371d4d66e22865ac060b67b9d29f48c5a8f32b768c43b4ec28ac8f8008

Download Submit
memory/2664-19-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2664-1-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2664-5-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2664-15-0x0000000004B40000-0x0000000004B48000-memory.dmp

Filesize
32KB

Download
memory/2664-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/4904-21-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/4904-28-0x0000000006680000-0x00000000066E6000-memory.dmp

Filesize
408KB

Download
memory/4904-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/4904-22-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/4904-23-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/4904-24-0x00000000056B0000-0x00000000056BA000-memory.dmp

Filesize
40KB

Download
memory/4904-27-0x00000000065E0000-0x000000000667C000-memory.dmp

Filesize
624KB

Download
memory/4904-20-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/4904-29-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/4904-30-0x0000000006A40000-0x0000000006A62000-memory.dmp

Filesize
136KB

Download
memory/4904-31-0x0000000006A70000-0x0000000006DC4000-memory.dmp

Filesize
3.3MB

Download
memory/4904-32-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/4904-33-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/4904-34-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing