asyncrat | 8f03cdbacac14321711d751ac862231ccdb13522e07ff0f3a42e128ceba61f13

General

Target

trwesf.exe
Size

34KB
MD5

75d3088b3da605e4b01ef86a8e8376dc
SHA1

f487c38fda56c98488105ba03c88229c467dad43
SHA256

8f03cdbacac14321711d751ac862231ccdb13522e07ff0f3a42e128ceba61f13
SHA512

397816db0b9331b3bc660f29e80ec8549e51078e4f34ef4e452a8ef2376b99ff14eaad6331b026f23c6489b18511ed6c937570740e85dffbb8e5d178164d947e
SSDEEP

768:wbqI7VVQEi5oaWPFaq8EGrUDjKZxxvjYrKa/O56Ue4uaPHx:w28VWH5ojsKGgDjKZxxiKa25npbPHx

Score

10^/10

asyncrat stormkitty discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2052-17-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 2052	1100	trwesf.exe	87

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trwesf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1100	trwesf.exe
1100	trwesf.exe
2052	RegAsm.exe
2052	RegAsm.exe
2052	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	trwesf.exe
Token: SeDebugPrivilege	2052	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2052	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3796	1100	trwesf.exe	83
PID 1100 wrote to memory of 3796	1100	trwesf.exe	83
PID 1100 wrote to memory of 3796	1100	trwesf.exe	83
PID 3796 wrote to memory of 3636	3796	csc.exe	85
PID 3796 wrote to memory of 3636	3796	csc.exe	85
PID 3796 wrote to memory of 3636	3796	csc.exe	85
PID 1100 wrote to memory of 4688	1100	trwesf.exe	86
PID 1100 wrote to memory of 4688	1100	trwesf.exe	86
PID 1100 wrote to memory of 4688	1100	trwesf.exe	86
PID 1100 wrote to memory of 2052	1100	trwesf.exe	87
PID 1100 wrote to memory of 2052	1100	trwesf.exe	87
PID 1100 wrote to memory of 2052	1100	trwesf.exe	87
PID 1100 wrote to memory of 2052	1100	trwesf.exe	87
PID 1100 wrote to memory of 2052	1100	trwesf.exe	87
PID 1100 wrote to memory of 2052	1100	trwesf.exe	87
PID 1100 wrote to memory of 2052	1100	trwesf.exe	87
PID 1100 wrote to memory of 2052	1100	trwesf.exe	87

C:\Users\Admin\AppData\Local\Temp\trwesf.exe
"C:\Users\Admin\AppData\Local\Temp\trwesf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ux4tcywl\ux4tcywl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80A9.tmp" "c:\Users\Admin\AppData\Local\Temp\ux4tcywl\CSC8A1C25A1B8A8486480FA257464319DA9.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES80A9.tmp

Filesize
1KB

MD5
b1f0f0abcc8b5bd4c5945a7e8271b558

SHA1
f5ff93bf43f11932eadb0f2a616e2795f31d2435

SHA256
45f29c543c834749df63338d2617324790c35c69bb6fc027e61fe31cb0b9cfc8

SHA512
85a5b3d5e2b63f251b1e3fa4cb0ad909362c51c75e9b1c3d8c3e40d1d405139bf22662481df2869271f18cb0cf599de17aa9929acb4f700d41b0c3493521cfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ux4tcywl\ux4tcywl.dll

Filesize
9KB

MD5
16fe702f27fd37d27e8f211c701e4a56

SHA1
7aac401bba4be77cfcc70a850817ceddb45ea81a

SHA256
b345b3356a7893a377e7876bca7839c95136affbce9ca977ddec9e67a36b942a

SHA512
acf2dea97eac70f3411c80eee16afb1f0aa60523a8219bafa5225a1c274d9d48f2cb65433114a8e047644d14bf37c5d1b9112df9879a07d1cca18b3b4f7733c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ux4tcywl\CSC8A1C25A1B8A8486480FA257464319DA9.TMP

Filesize
652B

MD5
9925edbcf214b8ac9e7a167c7a8feabd

SHA1
a573ca4ff058df434a78ecadea70e995f9a724a2

SHA256
eca08f8b676514831a423d9c904961ccccf2511a43cb56c3b453411d9c718aa3

SHA512
74977d252458993270d35b28d6117e5394f42f97d2e2aed172d60a00d1e6514e99ec198a7cb0303d06db7ebd85082915ebbd1eab3419e7aeb2cbcc63dae4aa45

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ux4tcywl\ux4tcywl.0.cs

Filesize
10KB

MD5
f8284f43aa8e48242dff1cad24736fcd

SHA1
ba8c41bc6175185a0bdbf8778df92e66a7029c65

SHA256
e12c8c4a47176808b9117ec2aa27c2afaf4bdddcd2f60eea48696aa7daa747f6

SHA512
4e84606d99d853f915662ffc996ac426fe7f02e90009f58c25a07c86bc84120c7d26dd2bfee3efc78099af7e729a5a6d27c611147eb64f908a9b58caa0a6b69c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ux4tcywl\ux4tcywl.cmdline

Filesize
204B

MD5
a53e40f8432e1d371436769d754ce867

SHA1
4ac46a9d3f3216c0da5688ab714b32c42f5be645

SHA256
c000209cef046e12e9f86fe2805f3ff773d504ceb8e4ddcd9014eb7cc98edc75

SHA512
0809270c4bec405b0727cb00982e8db0fc0bd17b9ed464d7089b4dca0b33213b22f84a2d4ff85c4b079a6e2c4c92cc0a68e8dd381cdd71f126304009042ab138

Download Submit
memory/1100-19-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1100-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/1100-1-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/1100-15-0x0000000004A80000-0x0000000004A88000-memory.dmp

Filesize
32KB

Download
memory/1100-5-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2052-23-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/2052-20-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2052-21-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/2052-22-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2052-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2052-24-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/2052-27-0x0000000006530000-0x00000000065CC000-memory.dmp

Filesize
624KB

Download
memory/2052-28-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/2052-29-0x00000000068F0000-0x0000000006912000-memory.dmp

Filesize
136KB

Download
memory/2052-30-0x0000000006920000-0x0000000006C74000-memory.dmp

Filesize
3.3MB

Download
memory/2052-31-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2052-32-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing