asyncrat | 2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5

General

Target

2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe
Size

34KB
MD5

671a477d299131351498b10922fa09d8
SHA1

1ea4a3836b473bc710f348fade6bb56848279649
SHA256

2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5
SHA512

8a4ed69a50806d85d697ac85f57855b1e5a26e0d6282977f75d70823be10cf83490423a1228891230bd2c3359449719dd53c6401d1f64f5649c9d2974257a8fc
SSDEEP

768:LqI7tV7a1UqeBVYbCU/SReKbLZu7RupMx0AzgL4Vo2TUVd:G837eULG2U0XA0AzC4SrVd

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/1276-17-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3572 set thread context of 1276	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	88

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe
3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe
1276	RegAsm.exe
1276	RegAsm.exe
1276	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe
Token: SeDebugPrivilege	1276	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1276	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4220	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	83
PID 3572 wrote to memory of 4220	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	83
PID 3572 wrote to memory of 4220	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	83
PID 4220 wrote to memory of 1928	4220	csc.exe	85
PID 4220 wrote to memory of 1928	4220	csc.exe	85
PID 4220 wrote to memory of 1928	4220	csc.exe	85
PID 3572 wrote to memory of 4252	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	87
PID 3572 wrote to memory of 4252	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	87
PID 3572 wrote to memory of 4252	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	87
PID 3572 wrote to memory of 1276	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	88
PID 3572 wrote to memory of 1276	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	88
PID 3572 wrote to memory of 1276	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	88
PID 3572 wrote to memory of 1276	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	88
PID 3572 wrote to memory of 1276	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	88
PID 3572 wrote to memory of 1276	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	88
PID 3572 wrote to memory of 1276	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	88
PID 3572 wrote to memory of 1276	3572	2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe	88

C:\Users\Admin\AppData\Local\Temp\2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe
"C:\Users\Admin\AppData\Local\Temp\2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jl51rqbw\jl51rqbw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB391.tmp" "c:\Users\Admin\AppData\Local\Temp\jl51rqbw\CSCC867EE4EFF1E429DA0909C6580884C7C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB391.tmp

Filesize
1KB

MD5
5f9945d72814a80f248f3f4b1865d4b6

SHA1
21843eb7b0622b8b314caf5bd6e1ae86291885bb

SHA256
2a6ac71e60baba5928d7defc3a7a205ded06fb1d0b279c27f5d9f7281bbece99

SHA512
04c40621082ee99e17522c005bf7ec0f243a859bf1ae02231cf6834c39d94fdf15a9c5234e9a9bb9fc1a1384d7316ca0587e21d286c2e4b3931c23c97db0ccc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jl51rqbw\jl51rqbw.dll

Filesize
9KB

MD5
2374aa49d7fa0ddb49615b69fe1e3d6c

SHA1
222fa4418392f2bad2faabb08f78ddc1b271b739

SHA256
b4bd3dcd296649419545b3972992321e69564eb60f17605d8f08375302c8536d

SHA512
bfbee73e81009c82b19fea765c0e5a86f7f8f118827d30a1c5bd8f92abeaa6d04ddb964d3f63c192470a7ec43b934fa583c4875742dd07218659b73ea17e9891

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jl51rqbw\CSCC867EE4EFF1E429DA0909C6580884C7C.TMP

Filesize
652B

MD5
701fab8961912ac4b9fb7ad87ecc0841

SHA1
b9add3d9d86624f33a9d868f84d263aeec954fdf

SHA256
e8042c81e70308b047e7478b0039cb8358536775a001e3df1d30885c0242b5c2

SHA512
0c5c1a5f13d1a0443ac236738e2f5a2ef7fc7a1f3a107afdeb875c8d3aa2c07de889ec062cff1080cf05b567bee5061dbb3dd3937e95497908245783140bdc68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jl51rqbw\jl51rqbw.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jl51rqbw\jl51rqbw.cmdline

Filesize
204B

MD5
bec0f687f08d2c896b33a39798fb2d62

SHA1
8176e7b503f470a14a7d9e713af8a0307e277225

SHA256
48b738c16ccfd9845a4dbebb5799526e36a3c02fab893892bef355731468679a

SHA512
849f953f94fe39b1cb475a051bf240edc24a0902c5c0ce70eb2129f01253b1e88b8f6f43a24c5195ae621b436fd6398cfef3d99c59d94ca66530b991b8ae493f

Download Submit
memory/1276-24-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/1276-29-0x0000000006CC0000-0x0000000006CE2000-memory.dmp

Filesize
136KB

Download
memory/1276-32-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/1276-31-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/1276-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/1276-30-0x0000000006CF0000-0x0000000007044000-memory.dmp

Filesize
3.3MB

Download
memory/1276-20-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/1276-21-0x0000000005930000-0x0000000005ED4000-memory.dmp

Filesize
5.6MB

Download
memory/1276-22-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/1276-23-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/1276-27-0x0000000006720000-0x00000000067BC000-memory.dmp

Filesize
624KB

Download
memory/1276-28-0x00000000067C0000-0x0000000006826000-memory.dmp

Filesize
408KB

Download
memory/3572-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/3572-6-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3572-19-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/3572-15-0x0000000004BB0000-0x0000000004BB8000-memory.dmp

Filesize
32KB

Download
memory/3572-1-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing