asyncrat | 2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5

General

Target

rwvg1.exe
Size

34KB
MD5

671a477d299131351498b10922fa09d8
SHA1

1ea4a3836b473bc710f348fade6bb56848279649
SHA256

2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5
SHA512

8a4ed69a50806d85d697ac85f57855b1e5a26e0d6282977f75d70823be10cf83490423a1228891230bd2c3359449719dd53c6401d1f64f5649c9d2974257a8fc
SSDEEP

768:LqI7tV7a1UqeBVYbCU/SReKbLZu7RupMx0AzgL4Vo2TUVd:G837eULG2U0XA0AzC4SrVd

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/2828-22-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2828-20-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2828-19-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2828-26-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2828-24-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2828	2584	rwvg1.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rwvg1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe
2828	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	rwvg1.exe
Token: SeDebugPrivilege	2828	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2828	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2200	2584	rwvg1.exe	31
PID 2584 wrote to memory of 2200	2584	rwvg1.exe	31
PID 2584 wrote to memory of 2200	2584	rwvg1.exe	31
PID 2584 wrote to memory of 2200	2584	rwvg1.exe	31
PID 2200 wrote to memory of 2548	2200	csc.exe	33
PID 2200 wrote to memory of 2548	2200	csc.exe	33
PID 2200 wrote to memory of 2548	2200	csc.exe	33
PID 2200 wrote to memory of 2548	2200	csc.exe	33
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34
PID 2584 wrote to memory of 2828	2584	rwvg1.exe	34

C:\Users\Admin\AppData\Local\Temp\rwvg1.exe
"C:\Users\Admin\AppData\Local\Temp\rwvg1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mx0gok3g\mx0gok3g.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFFC.tmp" "c:\Users\Admin\AppData\Local\Temp\mx0gok3g\CSCB9F55AC895A24BD081664C9594858A9F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabEB3B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCFFC.tmp

Filesize
1KB

MD5
2ca081d87f9ebcaa857c718712b98782

SHA1
8c95585067515bea7f42e31873c8cb083e48fd6e

SHA256
ea0fd2d1ee5a6bd192f2008a42166b739c99a76dee92950446fc04dde98290d4

SHA512
d982917e80db84c9271b4d80cc8ebbd757c3be7ed14793a74361ed7bc255d5e2bb57f68e771312e057892a0f7efa709f307164b6411411c61333a6d0b8f4e082

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFCBB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mx0gok3g\mx0gok3g.dll

Filesize
9KB

MD5
65d0dfe4c8ad8710d20ff946117ef615

SHA1
5f38cf86e35bf401fe8bcd16df5b750e1fd087f5

SHA256
851e6afcaf839b49f2c9ea9642e18af036e1c88899d3d86e624ff3a19e55fd6e

SHA512
c01aa846105f85630418f5d1349fee9c542ecf13b819e2f4ac792a5681cbf56366a7c3ab01a601b6c7103ffe2d48248de8946841d5d84b1d33003e22017df989

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mx0gok3g\CSCB9F55AC895A24BD081664C9594858A9F.TMP

Filesize
652B

MD5
c79994be95bdcbb98ce4cfe01c1ee8dd

SHA1
f0071f102676f3eb456492b95065925c25b2aea6

SHA256
0d619db5db6666d69624a61098d7f55fe5587587dc34a4a0499f2ea03aad2bf9

SHA512
2b2badd8b56a5a5097034cc45644a4b2b1cb852006441d10b0fbd44f8e7580758c03bcd3d1a0f7fec761e53db7d69d19bb9fd4a5bb5795387d9bf622f055d6bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mx0gok3g\mx0gok3g.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mx0gok3g\mx0gok3g.cmdline

Filesize
204B

MD5
fb071d14a1a3ee5df508110cc286ab16

SHA1
38761f6da12fa897627608fb3278036470247b21

SHA256
6c49adf800ebef7a922c03b07ba6df41833da26628d32e3062c533d2968b289c

SHA512
7be0ada79961b51a5fa95d6d3ebb16d2a45eec9160cdc2d6716f9194e63ae5d2568af474d1ce1c1a4eec50ea429945f0963b59bce191645e4aa51726c13ee072

Download Submit
memory/2584-27-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-1-0x0000000000220000-0x000000000022E000-memory.dmp

Filesize
56KB

Download
memory/2584-5-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-15-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2584-0-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/2828-18-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2828-20-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2828-19-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2828-26-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2828-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-24-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2828-22-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2828-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing