asyncrat | 2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5

General

Target

rwvg1.exe
Size

34KB
MD5

671a477d299131351498b10922fa09d8
SHA1

1ea4a3836b473bc710f348fade6bb56848279649
SHA256

2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5
SHA512

8a4ed69a50806d85d697ac85f57855b1e5a26e0d6282977f75d70823be10cf83490423a1228891230bd2c3359449719dd53c6401d1f64f5649c9d2974257a8fc
SSDEEP

768:LqI7tV7a1UqeBVYbCU/SReKbLZu7RupMx0AzgL4Vo2TUVd:G837eULG2U0XA0AzC4SrVd

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/1860-17-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2340 set thread context of 1860	2340	rwvg1.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rwvg1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1860	RegAsm.exe
1860	RegAsm.exe
1860	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	rwvg1.exe
Token: SeDebugPrivilege	1860	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1860	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3964	2340	rwvg1.exe	83
PID 2340 wrote to memory of 3964	2340	rwvg1.exe	83
PID 2340 wrote to memory of 3964	2340	rwvg1.exe	83
PID 3964 wrote to memory of 1840	3964	csc.exe	85
PID 3964 wrote to memory of 1840	3964	csc.exe	85
PID 3964 wrote to memory of 1840	3964	csc.exe	85
PID 2340 wrote to memory of 1860	2340	rwvg1.exe	86
PID 2340 wrote to memory of 1860	2340	rwvg1.exe	86
PID 2340 wrote to memory of 1860	2340	rwvg1.exe	86
PID 2340 wrote to memory of 1860	2340	rwvg1.exe	86
PID 2340 wrote to memory of 1860	2340	rwvg1.exe	86
PID 2340 wrote to memory of 1860	2340	rwvg1.exe	86
PID 2340 wrote to memory of 1860	2340	rwvg1.exe	86
PID 2340 wrote to memory of 1860	2340	rwvg1.exe	86

C:\Users\Admin\AppData\Local\Temp\rwvg1.exe
"C:\Users\Admin\AppData\Local\Temp\rwvg1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3tufsad\q3tufsad.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD86.tmp" "c:\Users\Admin\AppData\Local\Temp\q3tufsad\CSC884FD9823A71446F9B1A1539267C4EEE.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAD86.tmp

Filesize
1KB

MD5
14026ecef2cefa70c61dfb5e0cb39ae2

SHA1
28f5fe4e5e152ed5fab4008be20cae3ac96e789a

SHA256
defdbcfa12d3de75ce8e063d567fa1e3ac3290024ad168c3a53e99c7327eba2d

SHA512
239970ec3b7f8fb4a62f28ac12d59baf9af45883e13c4b60095cdd3d5dfc49b5ee4870aac2fc188cdbac6328e78a47cfa72d6aa5435a96c1a9aff7cd4ab927f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3tufsad\q3tufsad.dll

Filesize
9KB

MD5
a13c0391889731544af04877bc63d2ba

SHA1
2d43ea4c005e64d06d4562adbca54dbb051f7fe0

SHA256
f0c635273db43aaf1c6a1871e423f775e28b511a8f2d091d18e7985e7f4adf30

SHA512
bee22edd5976ef88be3ac9e682c0fc7801bafb1e7e7b878c3b10aa2b8c2a181e8b4ee69a39d1b298d1ad803d97f408dc07cb57c58192d93fea4019ce4fe1140c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3tufsad\CSC884FD9823A71446F9B1A1539267C4EEE.TMP

Filesize
652B

MD5
bbee78745909be0d7cd2d50d8c692ce9

SHA1
c49c56c3dfba0a690d67d16875ca5a4874dacdc9

SHA256
a80a91ebdc7ab9ac99eb75793c548308854f92b4738dd025f7de9fe4ba530045

SHA512
2e95b4dff30125be617ff8887800e1d13534af0bb0495bd92a00c05f40c824c9cef3123e1297df452e4fdae4ab3aa8a5f649e3c04f18efe2e2f0ffc6ec8fc581

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3tufsad\q3tufsad.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3tufsad\q3tufsad.cmdline

Filesize
204B

MD5
0a1843f54b5b4f2f394ee47a11eca0fc

SHA1
4bfc4991689106d730f55c52b8a75ab4c85b3f5e

SHA256
b55b246c83f42ef1ab02c4ac6cab8ab3580cc5f04b91d6112cd6519ff3af67ca

SHA512
6538ae99f1d4a43863029a874d4675545032a508293695f4ab98e52c2e6a028af0ad41c17c061ff3be35b8b06fa79d535ea8f8d674b9cf100c4fb411c8074622

Download Submit
memory/1860-21-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/1860-32-0x00000000079C0000-0x0000000007A36000-memory.dmp

Filesize
472KB

Download
memory/1860-36-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1860-35-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1860-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/1860-20-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1860-34-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1860-33-0x0000000007A60000-0x0000000007A7E000-memory.dmp

Filesize
120KB

Download
memory/1860-22-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1860-23-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/1860-24-0x0000000005930000-0x000000000593A000-memory.dmp

Filesize
40KB

Download
memory/1860-28-0x0000000006A40000-0x0000000006AA6000-memory.dmp

Filesize
408KB

Download
memory/1860-27-0x00000000069A0000-0x0000000006A3C000-memory.dmp

Filesize
624KB

Download
memory/1860-29-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1860-30-0x0000000006E00000-0x0000000006E22000-memory.dmp

Filesize
136KB

Download
memory/1860-31-0x0000000006E30000-0x0000000007184000-memory.dmp

Filesize
3.3MB

Download
memory/2340-15-0x0000000004BF0000-0x0000000004BF8000-memory.dmp

Filesize
32KB

Download
memory/2340-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/2340-19-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/2340-1-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2340-5-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing