asyncrat | 1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9

General

Target

1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe
Size

35KB
MD5

a03f28f2c0bf87d438a28e815d4b458a
SHA1

60627893ce5e918c9b3dbe146f1b577f630129b5
SHA256

1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9
SHA512

7ee6455f78cca337042521d024cdd4a54903e0b2276588b400fc9043354df28ca9cf0c9244028656c2e5e44e9f4889288aaa72e6d4ddb101380fb24d95727738
SSDEEP

768:deBwuYH/uhx4yQF1F5e2nTesOhCZC3JtdkrDNxHloAnOT+k0uvN:dwwV2IfjeOOhCkmBlS+knN

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/3012-25-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/3012-27-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/3012-22-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/3012-20-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/3012-19-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1180 set thread context of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe
3012	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe
Token: SeDebugPrivilege	3012	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3012	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2800	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	30
PID 1180 wrote to memory of 2800	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	30
PID 1180 wrote to memory of 2800	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	30
PID 1180 wrote to memory of 2800	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	30
PID 2800 wrote to memory of 2804	2800	csc.exe	32
PID 2800 wrote to memory of 2804	2800	csc.exe	32
PID 2800 wrote to memory of 2804	2800	csc.exe	32
PID 2800 wrote to memory of 2804	2800	csc.exe	32
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33
PID 1180 wrote to memory of 3012	1180	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	33

C:\Users\Admin\AppData\Local\Temp\1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe
"C:\Users\Admin\AppData\Local\Temp\1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgtfuwpy\wgtfuwpy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES207C.tmp" "c:\Users\Admin\AppData\Local\Temp\wgtfuwpy\CSC47AF7C685DB14F058AE65ACEFB81C3D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab4194.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES207C.tmp

Filesize
1KB

MD5
60a1072ae5e86c84c5d51176a04797ac

SHA1
9b62e21c89bfc2bd4cf52dd0bf612f673b4b0eb9

SHA256
5b83879b9cfd0c69ab77735a03f515786342a893c852accf2bccb2d6bc58aedc

SHA512
2fe41b7f3d0cc989739a726e72248b4ae73228d8d9e04aa6c5e2767b0e5b2ee4dc18c0fbdb42005ce43cfff262dae51f1a86798884732b4027357c5f3b5a778f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5353.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgtfuwpy\wgtfuwpy.dll

Filesize
9KB

MD5
44e73b79c59566429eb4a99854c912a5

SHA1
97240bd34b3afb642b7e8de615f4fa73beb35bbd

SHA256
c28d4db682e4c4270bb5896245fc6450034d11b1b9e543d1f84b25049806729c

SHA512
4a8b898d864eb15787b67eb2ff215973b70e4697923cc8fd7f8e15c5a41825b91b88fb1a3abee8e671394490ee0c012ce3e2f4b1038ab099d82d3d4f85b5e8f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wgtfuwpy\CSC47AF7C685DB14F058AE65ACEFB81C3D.TMP

Filesize
652B

MD5
df77709622e41f95da89065e1921a9da

SHA1
591c8a9eee58fccbba87e7d13de73937de66775a

SHA256
4f93467af23aa209751decb036b6ed288932c923be6bb4da0830250f9b2c43c8

SHA512
04e7e51c6d2d33d5c3d9ead54f40c44e8a9ac48ac9b2ef61466905bde60b8c790c90c035b01e58a8077fbc7b22a5fe347b1124d8efca8be3154741f83b67b1e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wgtfuwpy\wgtfuwpy.0.cs

Filesize
10KB

MD5
b5c3a2d03ff4c721192716f326c77dea

SHA1
6b754fd988ca58865674b711aba76d3c6b2c5693

SHA256
ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac

SHA512
d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wgtfuwpy\wgtfuwpy.cmdline

Filesize
204B

MD5
a14f0625160f15eb28cbcc9da34a586f

SHA1
55a1528ad929f43f79f54fcf52f90f5a8dac3549

SHA256
ed031073f0fabf580ef2b7c62819e2e91e5e16fe56e42c84556faf03ee55fefb

SHA512
27b01fef7a4e3055c4c0e5af1b4544b74119085db64020a3bd7fee6779a193b11982ecc2d08b051c000cbf96b14459677a51645ac933e9f8ad557c0d735cbea4

Download Submit
memory/1180-23-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1180-1-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/1180-5-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1180-15-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/1180-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/3012-25-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3012-22-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3012-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-20-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3012-18-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3012-19-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3012-27-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3012-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing