asyncrat | 2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5

General

Target

2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe
Size

34KB
MD5

671a477d299131351498b10922fa09d8
SHA1

1ea4a3836b473bc710f348fade6bb56848279649
SHA256

2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5
SHA512

8a4ed69a50806d85d697ac85f57855b1e5a26e0d6282977f75d70823be10cf83490423a1228891230bd2c3359449719dd53c6401d1f64f5649c9d2974257a8fc
SSDEEP

768:LqI7tV7a1UqeBVYbCU/SReKbLZu7RupMx0AzgL4Vo2TUVd:G837eULG2U0XA0AzC4SrVd

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/2740-21-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2740-24-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2740-22-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2740-27-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2740-29-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe
2740	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe
Token: SeDebugPrivilege	2740	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2740	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2368	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	30
PID 1272 wrote to memory of 2368	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	30
PID 1272 wrote to memory of 2368	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	30
PID 1272 wrote to memory of 2368	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	30
PID 2368 wrote to memory of 1712	2368	csc.exe	32
PID 2368 wrote to memory of 1712	2368	csc.exe	32
PID 2368 wrote to memory of 1712	2368	csc.exe	32
PID 2368 wrote to memory of 1712	2368	csc.exe	32
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33
PID 1272 wrote to memory of 2740	1272	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	33

C:\Users\Admin\AppData\Local\Temp\2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe
"C:\Users\Admin\AppData\Local\Temp\2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\swen42ur\swen42ur.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA34.tmp" "c:\Users\Admin\AppData\Local\Temp\swen42ur\CSC669F8812F49A41AF8DE24C6ADC233442.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabC6AB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA34.tmp

Filesize
1KB

MD5
f7887bfbe0f670a7cc3467327a5df6ef

SHA1
860e59bb27b8dc56f318b2bc975ccc86150f3ba6

SHA256
ea516b5c1e39c9716fc2ff7922a013b152d5894ef7a65fcee86d71ee84aa4c97

SHA512
f821f094fd37e9b37bbb5d8635fa0bdee4e30f8611e9db6383ff8cbe0a7a313734c8d8336ee84cc5dd111bc7aab796d8020f403c0fcc4855070925afcb1ac2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD81C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\swen42ur\swen42ur.dll

Filesize
9KB

MD5
378fc4741b242b6aa49286a1f99ee0e0

SHA1
bf6193f8672ddf76cb1ad6920dde5e76b019f5f5

SHA256
ae4a7fbc0f5061cc31dcbc0edbe4d1ba0fa54a30ce7f5b2fafc380b3c26f4370

SHA512
205d8aba5cb14c51a5e41f1111b068569ae52dac26489e1788757b6d5678ce3083e2b45a8923706812a5283959ca4ead336530768ffa29fa38854b82f499af16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\swen42ur\CSC669F8812F49A41AF8DE24C6ADC233442.TMP

Filesize
652B

MD5
7116b668a43cf59ef9ba1628b9cf1849

SHA1
c287cbe397ff73ba786789ee8b56470a9421e406

SHA256
53d4403cc83faa7760d0fd9ce838da175d074c744cd5c588af54df54a482cf51

SHA512
82b9f1de8aad4dc39972e62bf833ca98ba1fa1ca5758649c0cd3a50eff9d29a1d10fbc9b0f43598fd430af6f7261ef43ddfcee9c9be05b386a93bc0790a9512d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\swen42ur\swen42ur.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\swen42ur\swen42ur.cmdline

Filesize
204B

MD5
2a74984f851d01615164b682e1a573ab

SHA1
8a211af749d380ffef707ed87f0ebc2205d1a188

SHA256
1953611691b58aa3d6f1a03a96a3d8ff793989848b28cd73f9dc9474973683fa

SHA512
dc4d8a5da6e0c65865caf745ee146f987609415926daa75dc5bb0ce9758a3e950141863ecb8109db5399b24b9da0bb90ef32ca2095e2937991d0e3be47e68145

Download Submit
memory/1272-25-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-15-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/1272-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1272-5-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-1-0x0000000001310000-0x000000000131E000-memory.dmp

Filesize
56KB

Download
memory/2740-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2740-21-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2740-24-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2740-22-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2740-27-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2740-19-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2740-29-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2740-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing