asyncrat | 5e8a676a5b37f85a09339873a139a73268662b1c0bfe94d764bbfffec60ea196

General

Target

5e8a676a5b37f85a09339873a139a73268662b1c0bfe94d764bbfffec60ea196.ps1
Size

1KB
MD5

1ec2c58c17fc606446451058a6961972
SHA1

abfd1b16246bcce8721d2c5aa85cfa354135f2ff
SHA256

5e8a676a5b37f85a09339873a139a73268662b1c0bfe94d764bbfffec60ea196
SHA512

7365d26c3b74e25d18618d3042ff98fedae2d1e5db6f2c6d0a7034582141a78e5c2df949477c1169e471ced3fcf94d660b7cd8655ecd6bda2d803f1ecc0c0f17

Score

10^/10

asyncrat stormkitty discovery execution rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4996-31-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	4240	powershell.exe

Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4240 set thread context of 4996	4240	powershell.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4240	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4240	powershell.exe
4240	powershell.exe
4996	RegAsm.exe
4996	RegAsm.exe
4996	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	4996	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4996	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1144	4240	powershell.exe	85
PID 4240 wrote to memory of 1144	4240	powershell.exe	85
PID 1144 wrote to memory of 2252	1144	csc.exe	86
PID 1144 wrote to memory of 2252	1144	csc.exe	86
PID 4240 wrote to memory of 4996	4240	powershell.exe	87
PID 4240 wrote to memory of 4996	4240	powershell.exe	87
PID 4240 wrote to memory of 4996	4240	powershell.exe	87
PID 4240 wrote to memory of 4996	4240	powershell.exe	87
PID 4240 wrote to memory of 4996	4240	powershell.exe	87
PID 4240 wrote to memory of 4996	4240	powershell.exe	87
PID 4240 wrote to memory of 4996	4240	powershell.exe	87
PID 4240 wrote to memory of 4996	4240	powershell.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\5e8a676a5b37f85a09339873a139a73268662b1c0bfe94d764bbfffec60ea196.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bsf20xxk\bsf20xxk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8155.tmp" "c:\Users\Admin\AppData\Local\Temp\bsf20xxk\CSCD822207BAB814271BEBB553583CA8D94.TMP"
    3⤵
    PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8155.tmp

Filesize
1KB

MD5
5048a0867fdd293fe0e93d611f4490ac

SHA1
7197251048b80f758f72fcf4a6d1260620ece7de

SHA256
b1f97815d2a0452b509d72ebed36aa08d0786b6cde0ed82fc1ad84bf3c29fbe5

SHA512
1cf448c1a47ab611bafb17f080a03e714e96040bee65af29f0e08614606aa611ca6ed63454b56df738583e3aa76425d133616f95905a5d1a6820a2a0b4dcb99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bjpwurlq.3rt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsf20xxk\bsf20xxk.dll

Filesize
9KB

MD5
5bc358c17cb51cbb7a4c3f947d0a87cb

SHA1
f684aafc0d7cfd3afd0a71fcc10464e2da425f13

SHA256
6204b71b6bed340423e2820bd6e56df169ce5268e2359c581d8321825b87fe8a

SHA512
22749e47c8e5cb25ee07cc465968b26333a182d4bf01a7d3635deef3a17e0214a033765898ba88659ac4826637cf4a02c81a85a61386f56e20e1e727fdfd5282

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bsf20xxk\CSCD822207BAB814271BEBB553583CA8D94.TMP

Filesize
652B

MD5
37757d9ca4eb9f76ffc43ba1ed31dd95

SHA1
a6c643fb804dab4febebff8331019e00912f8496

SHA256
2e0a6945550c39993310ed1739cd8148e05434e04e0ff5a42efb16da3e9f8a8d

SHA512
acd980f94355cad92d0c30b21569e871923f1c9fd08662b0e79e50913e2da65cbd8a145e00fe1b53d106226e236de042918520654807dc02a54e7d408e34f524

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bsf20xxk\bsf20xxk.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bsf20xxk\bsf20xxk.cmdline

Filesize
204B

MD5
b894631d23ef8b27a8cfdb05c6c5dc95

SHA1
e8004144918156cf9fcc0f9cdb97f3d3e18d6018

SHA256
9fae3c67821d3a477f195fe832d3d725a9d4bca6ca567f1aa8bb86e45f8f1149

SHA512
e96c0c0ba6ddc1f7496796764f65a0903388d4921b742c9f242322c938edaa5d614a8a0b48f1819f5a160364dca34e29712f0cdf0140193f99df38acd1a95f8b

Download Submit
memory/4240-28-0x00007FFA20CC0000-0x00007FFA21781000-memory.dmp

Filesize
10.8MB

Download
memory/4240-34-0x00007FFA20CC0000-0x00007FFA21781000-memory.dmp

Filesize
10.8MB

Download
memory/4240-12-0x00007FFA20CC0000-0x00007FFA21781000-memory.dmp

Filesize
10.8MB

Download
memory/4240-11-0x00007FFA20CC0000-0x00007FFA21781000-memory.dmp

Filesize
10.8MB

Download
memory/4240-10-0x0000017953620000-0x0000017953642000-memory.dmp

Filesize
136KB

Download
memory/4240-26-0x00000179535F0000-0x00000179535F8000-memory.dmp

Filesize
32KB

Download
memory/4240-0-0x00007FFA20CC3000-0x00007FFA20CC5000-memory.dmp

Filesize
8KB

Download
memory/4240-29-0x00007FFA20CC3000-0x00007FFA20CC5000-memory.dmp

Filesize
8KB

Download
memory/4240-30-0x00007FFA20CC0000-0x00007FFA21781000-memory.dmp

Filesize
10.8MB

Download
memory/4240-13-0x00000179535E0000-0x00000179535EE000-memory.dmp

Filesize
56KB

Download
memory/4996-31-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/4996-35-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/4996-36-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/4996-37-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/4996-41-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/4996-40-0x0000000006680000-0x000000000671C000-memory.dmp

Filesize
624KB

Download
memory/4996-42-0x0000000006A30000-0x0000000006A52000-memory.dmp

Filesize
136KB

Download
memory/4996-43-0x0000000006A60000-0x0000000006DB4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing