asyncrat | 2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5

General

Target

rwvg1.exe
Size

34KB
MD5

671a477d299131351498b10922fa09d8
SHA1

1ea4a3836b473bc710f348fade6bb56848279649
SHA256

2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5
SHA512

8a4ed69a50806d85d697ac85f57855b1e5a26e0d6282977f75d70823be10cf83490423a1228891230bd2c3359449719dd53c6401d1f64f5649c9d2974257a8fc
SSDEEP

768:LqI7tV7a1UqeBVYbCU/SReKbLZu7RupMx0AzgL4Vo2TUVd:G837eULG2U0XA0AzC4SrVd

Score

10^/10

asyncrat stormkitty venomrat discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3696-19-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/3696-19-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4692 set thread context of 3696	4692	rwvg1.exe	102

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rwvg1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3696	RegAsm.exe
3696	RegAsm.exe
3696	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	rwvg1.exe
Token: SeDebugPrivilege	3696	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3696	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 2588	4692	rwvg1.exe	83
PID 4692 wrote to memory of 2588	4692	rwvg1.exe	83
PID 4692 wrote to memory of 2588	4692	rwvg1.exe	83
PID 2588 wrote to memory of 4460	2588	csc.exe	85
PID 2588 wrote to memory of 4460	2588	csc.exe	85
PID 2588 wrote to memory of 4460	2588	csc.exe	85
PID 4692 wrote to memory of 3696	4692	rwvg1.exe	102
PID 4692 wrote to memory of 3696	4692	rwvg1.exe	102
PID 4692 wrote to memory of 3696	4692	rwvg1.exe	102
PID 4692 wrote to memory of 3696	4692	rwvg1.exe	102
PID 4692 wrote to memory of 3696	4692	rwvg1.exe	102
PID 4692 wrote to memory of 3696	4692	rwvg1.exe	102
PID 4692 wrote to memory of 3696	4692	rwvg1.exe	102
PID 4692 wrote to memory of 3696	4692	rwvg1.exe	102

C:\Users\Admin\AppData\Local\Temp\rwvg1.exe
"C:\Users\Admin\AppData\Local\Temp\rwvg1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2l3lwyml\2l3lwyml.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADA5.tmp" "c:\Users\Admin\AppData\Local\Temp\2l3lwyml\CSC4ACE213B7C1543859C465D1E07EBB6D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2l3lwyml\2l3lwyml.dll

Filesize
9KB

MD5
8921829caa64964a3980b561a58311f1

SHA1
3a00511970ead720fbb38f7c64712fa1f63ecb5f

SHA256
0bb1daffdf8cc90f0262989be76a9cac059db9892c90e7d44d824ebd9528c97d

SHA512
a32ee3471ba5d7c67dad928e6ca7abf366d822e27f2840597040605c64527f878848ebee555e602efd9de103b40f7974ef4a31ffd937ad8d6b988c95c09d888c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADA5.tmp

Filesize
1KB

MD5
02f1fe174af30520ef6019246aacb59e

SHA1
6fa87ba17b134bdaed8c6aaf877780bb3e2b5560

SHA256
6f183a9809417f9959c9f3dbd33f2d282223c1c7847501bda4361ffa7f22d37d

SHA512
cefa9fcab4a9275d355936013dcdc54d8ac70d6c9ca2f4533da8b68cb60667f9f181da705dd6141ecbca2841496107a0e956cbe2fc9060818174bbed382b6929

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2l3lwyml\2l3lwyml.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2l3lwyml\2l3lwyml.cmdline

Filesize
204B

MD5
9b56e5b875c61b6e39ef246dbc02150a

SHA1
e26dffe5de0766a6d2094c3fc365834e54484745

SHA256
e74ae4eeaf0555a88aa6f6f9e81e3b1a2848c5024e5ac57125794965d24015cb

SHA512
db5d78eaac7a547902d9d98c22251ed11685ade34b8fec3e927f41f91d101116d219d3d7d7df260d1bb9852de57165a0952d6a566ee69cc39111536e00d5f0ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2l3lwyml\CSC4ACE213B7C1543859C465D1E07EBB6D.TMP

Filesize
652B

MD5
54eb32b9404a25ad465ac65b6f1acfa5

SHA1
d17e84f3d347b8b3c70569591d4a7bdc2a9096f1

SHA256
39b1882baade3c645171c9d66844735281747b21b1e465e7000d2f44fbed61f9

SHA512
83436d1b2b3476f072dd27650deff13ca66ebfa1bce00f6797073668486211b029705883c60c251637744fd4451b41c7b1accc20d00e7a1c275b50c3de9c349e

Download Submit
memory/3696-19-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3696-32-0x0000000006CF0000-0x0000000006D12000-memory.dmp

Filesize
136KB

Download
memory/3696-36-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3696-35-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3696-34-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3696-33-0x0000000006D20000-0x0000000007074000-memory.dmp

Filesize
3.3MB

Download
memory/3696-31-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3696-30-0x0000000006940000-0x00000000069A6000-memory.dmp

Filesize
408KB

Download
memory/3696-22-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3696-23-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/3696-24-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3696-25-0x0000000005990000-0x0000000005A22000-memory.dmp

Filesize
584KB

Download
memory/3696-26-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/3696-29-0x00000000068A0000-0x000000000693C000-memory.dmp

Filesize
624KB

Download
memory/4692-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/4692-21-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4692-5-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4692-18-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4692-17-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/4692-15-0x0000000004A00000-0x0000000004A08000-memory.dmp

Filesize
32KB

Download
memory/4692-1-0x0000000000100000-0x000000000010E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing