asyncrat | 8f03cdbacac14321711d751ac862231ccdb13522e07ff0f3a42e128ceba61f13

General

Target

trwesf.exe
Size

34KB
MD5

75d3088b3da605e4b01ef86a8e8376dc
SHA1

f487c38fda56c98488105ba03c88229c467dad43
SHA256

8f03cdbacac14321711d751ac862231ccdb13522e07ff0f3a42e128ceba61f13
SHA512

397816db0b9331b3bc660f29e80ec8549e51078e4f34ef4e452a8ef2376b99ff14eaad6331b026f23c6489b18511ed6c937570740e85dffbb8e5d178164d947e
SSDEEP

768:wbqI7VVQEi5oaWPFaq8EGrUDjKZxxvjYrKa/O56Ue4uaPHx:w28VWH5ojsKGgDjKZxxiKa25npbPHx

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/2796-21-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2796-28-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2796-32-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2796-26-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2796-23-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 2796	1488	trwesf.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trwesf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe
2796	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	trwesf.exe
Token: SeDebugPrivilege	2796	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2796	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2460	1488	trwesf.exe	31
PID 1488 wrote to memory of 2460	1488	trwesf.exe	31
PID 1488 wrote to memory of 2460	1488	trwesf.exe	31
PID 1488 wrote to memory of 2460	1488	trwesf.exe	31
PID 2460 wrote to memory of 1820	2460	csc.exe	33
PID 2460 wrote to memory of 1820	2460	csc.exe	33
PID 2460 wrote to memory of 1820	2460	csc.exe	33
PID 2460 wrote to memory of 1820	2460	csc.exe	33
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34
PID 1488 wrote to memory of 2796	1488	trwesf.exe	34

C:\Users\Admin\AppData\Local\Temp\trwesf.exe
"C:\Users\Admin\AppData\Local\Temp\trwesf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\azdbycvd\azdbycvd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD74C.tmp" "c:\Users\Admin\AppData\Local\Temp\azdbycvd\CSCB2DF1206A3F6437C9B8A3D31607FA83D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF153.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD74C.tmp

Filesize
1KB

MD5
c0699bb28c93a9c8d9b43040f524723c

SHA1
91edfbe54f8c6e99720d376e64196642e9876476

SHA256
bfa093ce2b74c548d5c07788546a4d7d5448e46bfc454075aefc27269b8a8175

SHA512
e239d7b8be87b3342d852346d366aa04fb53bea86381d19bbe53f5e915bc6a980c287d3f56bba03de4b0bdb84bc806e56cbb13978244ba3989b15d50c9c433dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar302.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\azdbycvd\azdbycvd.dll

Filesize
9KB

MD5
b1b165011256eef9cf054667fea7f578

SHA1
1b853df57c48ddeab907a6f0ed6417e6868209c0

SHA256
65955b31212f5bab78de6777f715c38eb9eb880978021defa2a590f387fa5bb4

SHA512
871fbb3c1605fa55b3a04eed0c1fc1e5e970be5ae91cecdfc6423ba309f6baa4ed7629b51fc4c9beb20d86b631e9c1c8012a6f904b7ce797feacf58546fee3f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\azdbycvd\CSCB2DF1206A3F6437C9B8A3D31607FA83D.TMP

Filesize
652B

MD5
14890e3cd4a0e256d43da4d90541c7cd

SHA1
1e4b46c0aa2cac7c6afa3619419b6d9e1a87d070

SHA256
4b73baa1a21f860686974b284ab85cacd94cda2691371cc3daab8e4cadf6ecd0

SHA512
00c7842ddb7b0a66d8c861e63dee43ffc23d10c694effd0d8afd725a7c7564a33344c7e7abf9dfa2c526ce91abd3d697d448e17a4ceec38780cb0ff01ae2a655

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\azdbycvd\azdbycvd.0.cs

Filesize
10KB

MD5
f8284f43aa8e48242dff1cad24736fcd

SHA1
ba8c41bc6175185a0bdbf8778df92e66a7029c65

SHA256
e12c8c4a47176808b9117ec2aa27c2afaf4bdddcd2f60eea48696aa7daa747f6

SHA512
4e84606d99d853f915662ffc996ac426fe7f02e90009f58c25a07c86bc84120c7d26dd2bfee3efc78099af7e729a5a6d27c611147eb64f908a9b58caa0a6b69c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\azdbycvd\azdbycvd.cmdline

Filesize
204B

MD5
092e54a1b57216ba0b1948a4893d59f9

SHA1
2e73b7fffb16882741ce9f9692eca6db6dec2c0b

SHA256
481e18a28de87bf047ab6de260c594b71b2301c3ce247f383a1c897d5a74ce14

SHA512
7ac0889e44a427a24ec3dc8d501c7310ed55f0d7cbc59c6ad7c873f22d786bb83d0825bbca49c29ffdcac1178da0975c70e1b6ea92934e504e9e5c86ffa9c933

Download Submit
memory/1488-1-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/1488-4-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/1488-15-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1488-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/1488-31-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2796-28-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2796-32-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2796-26-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2796-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-23-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2796-19-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2796-21-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing