asyncrat | 2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5

General

Target

rwvg1.exe
Size

34KB
MD5

671a477d299131351498b10922fa09d8
SHA1

1ea4a3836b473bc710f348fade6bb56848279649
SHA256

2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5
SHA512

8a4ed69a50806d85d697ac85f57855b1e5a26e0d6282977f75d70823be10cf83490423a1228891230bd2c3359449719dd53c6401d1f64f5649c9d2974257a8fc
SSDEEP

768:LqI7tV7a1UqeBVYbCU/SReKbLZu7RupMx0AzgL4Vo2TUVd:G837eULG2U0XA0AzC4SrVd

Score

10^/10

asyncrat stormkitty venomrat discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/2612-30-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2612-28-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2612-26-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2612-23-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2612-21-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 5 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/2612-30-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2612-28-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2612-26-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2612-23-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2612-21-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2068 set thread context of 2612	2068	rwvg1.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rwvg1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe
2612	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	rwvg1.exe
Token: SeDebugPrivilege	2612	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2980	2068	rwvg1.exe	30
PID 2068 wrote to memory of 2980	2068	rwvg1.exe	30
PID 2068 wrote to memory of 2980	2068	rwvg1.exe	30
PID 2068 wrote to memory of 2980	2068	rwvg1.exe	30
PID 2980 wrote to memory of 1280	2980	csc.exe	32
PID 2980 wrote to memory of 1280	2980	csc.exe	32
PID 2980 wrote to memory of 1280	2980	csc.exe	32
PID 2980 wrote to memory of 1280	2980	csc.exe	32
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34
PID 2068 wrote to memory of 2612	2068	rwvg1.exe	34

C:\Users\Admin\AppData\Local\Temp\rwvg1.exe
"C:\Users\Admin\AppData\Local\Temp\rwvg1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ojyf4uil\ojyf4uil.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4F4.tmp" "c:\Users\Admin\AppData\Local\Temp\ojyf4uil\CSCB321A3E3CA864C41BA339059EC5AEA3A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabBF8A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC4F4.tmp

Filesize
1KB

MD5
b9aa874b23e2d5b3564762fe825b2a75

SHA1
fea9494e6e68f010192c25baa0add7d6e7b7241b

SHA256
098c1942ac3c11be89de2cedbc7dc02d3cffb5c57e2c70f672310f12d14e5fa2

SHA512
e0d5f69efad814e74abf63cb95a46904e9a4625ae95fdd909d2413341a8fa946b1c0cf63489766c46a55a1466d8d930d1ef5dca221060e5c0de7724678a7004a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD148.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojyf4uil\ojyf4uil.dll

Filesize
9KB

MD5
8cf216cc975570b49e9ccddb38e2fa7c

SHA1
7e60e0b8a4a3d95292f068a8d9621d846e6cfa3e

SHA256
7d3679f784e526de5c06652b33fdeaba9b6eaaf5cf8efb94d10e3df64492d370

SHA512
b427f501df2315cc303d1559db5b220e8cda10c60ad126839bad8068ee97dddc8fd79c098228415f288afc62014a92c01a9cb3cc8ba5e4e44ca3d88dae2c56dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ojyf4uil\CSCB321A3E3CA864C41BA339059EC5AEA3A.TMP

Filesize
652B

MD5
2d0ad140099691194bf87698770dd1fd

SHA1
74f98efce8ac65e537baffcc39ec3e5954a7952f

SHA256
36111103cc489ba437c83e5681716cbf954a5e6af19f3b92fb14cc176388bc93

SHA512
78c3d6cc9b9d5c532583a08a49e12b8c7dbb393490c8ba5111220281ee9cc05de2efbc81a8fa2fd1f7cd1bb1d0e08aca09dc7f9295209f5182bf91df2738cdc2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ojyf4uil\ojyf4uil.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ojyf4uil\ojyf4uil.cmdline

Filesize
204B

MD5
e48d04b29041338e936b1e0ed9203965

SHA1
5976626adcc3f5bdc4e2b1f980de6a40c58f268c

SHA256
10f3e20a821444c8f51fb3c8bfe555f6a6625e4cab0f394ae22ca2bcbcc29106

SHA512
32e092b0879adcc6a1d57c187a69dc13fa733f5e525148b38078b926e09c098d74d589654331fea0b5ec91616963a8a26d255750d5b8cc410c856f5eb9e19713

Download Submit
memory/2068-18-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2068-15-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2068-17-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/2068-0-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/2068-1-0x0000000000F30000-0x0000000000F3E000-memory.dmp

Filesize
56KB

Download
memory/2068-31-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2068-5-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-28-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2612-26-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2612-23-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2612-21-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2612-19-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2612-20-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2612-30-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2612-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing