asyncrat | 1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9

General

Target

1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe
Size

35KB
MD5

a03f28f2c0bf87d438a28e815d4b458a
SHA1

60627893ce5e918c9b3dbe146f1b577f630129b5
SHA256

1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9
SHA512

7ee6455f78cca337042521d024cdd4a54903e0b2276588b400fc9043354df28ca9cf0c9244028656c2e5e44e9f4889288aaa72e6d4ddb101380fb24d95727738
SSDEEP

768:deBwuYH/uhx4yQF1F5e2nTesOhCZC3JtdkrDNxHloAnOT+k0uvN:dwwV2IfjeOOhCkmBlS+knN

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2116-17-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3284 set thread context of 2116	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	88

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe
3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe
2116	RegAsm.exe
2116	RegAsm.exe
2116	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe
Token: SeDebugPrivilege	2116	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2116	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 3340	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	83
PID 3284 wrote to memory of 3340	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	83
PID 3284 wrote to memory of 3340	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	83
PID 3340 wrote to memory of 3972	3340	csc.exe	85
PID 3340 wrote to memory of 3972	3340	csc.exe	85
PID 3340 wrote to memory of 3972	3340	csc.exe	85
PID 3284 wrote to memory of 4984	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	87
PID 3284 wrote to memory of 4984	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	87
PID 3284 wrote to memory of 4984	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	87
PID 3284 wrote to memory of 2116	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	88
PID 3284 wrote to memory of 2116	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	88
PID 3284 wrote to memory of 2116	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	88
PID 3284 wrote to memory of 2116	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	88
PID 3284 wrote to memory of 2116	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	88
PID 3284 wrote to memory of 2116	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	88
PID 3284 wrote to memory of 2116	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	88
PID 3284 wrote to memory of 2116	3284	1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe	88

C:\Users\Admin\AppData\Local\Temp\1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe
"C:\Users\Admin\AppData\Local\Temp\1c9f4869c446e6e1e3c562631b1a10210294a7dd1367b4a58450b1a949e873e9.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5axxusya\5axxusya.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ED2.tmp" "c:\Users\Admin\AppData\Local\Temp\5axxusya\CSC3BF74D1CCF794CECB2F8607A8FC55BD5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5axxusya\5axxusya.dll

Filesize
9KB

MD5
83e694e2c3453039a407bc96479dc479

SHA1
abf4b4cbb95bafe164ed0b43085447d240ba351c

SHA256
8254aa27307c1aeb27e39747e63e6fee796d85344af3774dc457a865cddac306

SHA512
2b10e1d584388add6cf4ed6c257df94550027f4e5d11817b2ba8d043d5da1f25fe6891bb58b4a8e09d411a8e10130c42d7f0ee4f9cfdf15567eb3d8d91fe0624

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8ED2.tmp

Filesize
1KB

MD5
7a84f71f3934fc738b2cd4d46e0b3b8a

SHA1
bfacd08742f43afb868c25fe8ea728cf58241b3f

SHA256
4c80859727bf37e415b4dd76d03002588b003322f8f6d8e5dffaabada443baca

SHA512
3b70031dcff0f77faff08f2b8c9a76ac01668c39dc8043a9d3af689ddc3fed67639e9092585a69b3b5493b732e3956d7eea068e7654429b3f5df84c9bc7d0e5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5axxusya\5axxusya.0.cs

Filesize
10KB

MD5
b5c3a2d03ff4c721192716f326c77dea

SHA1
6b754fd988ca58865674b711aba76d3c6b2c5693

SHA256
ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac

SHA512
d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5axxusya\5axxusya.cmdline

Filesize
204B

MD5
1f99cbad879fac48039c987ef7a6b94f

SHA1
7894640392bfb2eddfca15b6abe30fe3607545ac

SHA256
0208e4c91c281cc5ca75918b185cc3d47bcf17601db2e798317f18edcf084f0e

SHA512
31dd192366ba59d2e695d93902f48d06c734e2ac28e5e0d66b6dbc1083c4a9cad50acca3115e5888b4fbfd859f3ad30d4080123ca34019a82cb9de5262755164

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5axxusya\CSC3BF74D1CCF794CECB2F8607A8FC55BD5.TMP

Filesize
652B

MD5
1e178a90012ac41f8e1182d1584e4997

SHA1
9b9ef11e22bfcb64f89518176d1f7468eed39391

SHA256
049d4f87d18a82e63f18c39e8956219bf9544766165cccfe6631c51fe521a6bb

SHA512
a95db88d21fda2a1512322a495a085e3dc6e17b79af2b454332c75391a45245d749e12faa61d67b86c9d4dbd3f821396947a824caf1bde75b6559f377e20def4

Download Submit
memory/2116-20-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2116-29-0x0000000006910000-0x0000000006932000-memory.dmp

Filesize
136KB

Download
memory/2116-32-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2116-31-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2116-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2116-30-0x0000000006940000-0x0000000006C94000-memory.dmp

Filesize
3.3MB

Download
memory/2116-28-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/2116-21-0x00000000057A0000-0x0000000005D44000-memory.dmp

Filesize
5.6MB

Download
memory/2116-22-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2116-23-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/2116-24-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/2116-27-0x0000000006580000-0x000000000661C000-memory.dmp

Filesize
624KB

Download
memory/3284-19-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3284-5-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3284-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/3284-15-0x0000000002D60000-0x0000000002D68000-memory.dmp

Filesize
32KB

Download
memory/3284-1-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing