asyncrat | 8f03cdbacac14321711d751ac862231ccdb13522e07ff0f3a42e128ceba61f13

General

Target

trwesf.exe
Size

34KB
MD5

75d3088b3da605e4b01ef86a8e8376dc
SHA1

f487c38fda56c98488105ba03c88229c467dad43
SHA256

8f03cdbacac14321711d751ac862231ccdb13522e07ff0f3a42e128ceba61f13
SHA512

397816db0b9331b3bc660f29e80ec8549e51078e4f34ef4e452a8ef2376b99ff14eaad6331b026f23c6489b18511ed6c937570740e85dffbb8e5d178164d947e
SSDEEP

768:wbqI7VVQEi5oaWPFaq8EGrUDjKZxxvjYrKa/O56Ue4uaPHx:w28VWH5ojsKGgDjKZxxiKa25npbPHx

Score

10^/10

asyncrat stormkitty venomrat discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3644-17-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/3644-17-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 3644	2552	trwesf.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trwesf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3644	RegAsm.exe
3644	RegAsm.exe
3644	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	trwesf.exe
Token: SeDebugPrivilege	3644	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3644	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 832	2552	trwesf.exe	82
PID 2552 wrote to memory of 832	2552	trwesf.exe	82
PID 2552 wrote to memory of 832	2552	trwesf.exe	82
PID 832 wrote to memory of 1752	832	csc.exe	84
PID 832 wrote to memory of 1752	832	csc.exe	84
PID 832 wrote to memory of 1752	832	csc.exe	84
PID 2552 wrote to memory of 3644	2552	trwesf.exe	85
PID 2552 wrote to memory of 3644	2552	trwesf.exe	85
PID 2552 wrote to memory of 3644	2552	trwesf.exe	85
PID 2552 wrote to memory of 3644	2552	trwesf.exe	85
PID 2552 wrote to memory of 3644	2552	trwesf.exe	85
PID 2552 wrote to memory of 3644	2552	trwesf.exe	85
PID 2552 wrote to memory of 3644	2552	trwesf.exe	85
PID 2552 wrote to memory of 3644	2552	trwesf.exe	85

C:\Users\Admin\AppData\Local\Temp\trwesf.exe
"C:\Users\Admin\AppData\Local\Temp\trwesf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\stpgnvgp\stpgnvgp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7937.tmp" "c:\Users\Admin\AppData\Local\Temp\stpgnvgp\CSCAE63B2B36D744C598B98C817BC6F9C5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7937.tmp

Filesize
1KB

MD5
895856597af4a35b3354176f42bddaa0

SHA1
9e6bf04e1852aa48b05082a3e3bec1089f11f9bd

SHA256
d97b481a033c5d672ad2327967e4373d11f23bc9ee78dcc22af7d8bbd17fa1a4

SHA512
6b865d4a1e11a48acff031d543555f9ba92be16fff65eed69bcd1121a338d58f31ff07af46224e70bf9da099093d150adffa61da9361b5b4db9bf8c28036a3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\stpgnvgp\stpgnvgp.dll

Filesize
9KB

MD5
a66be05fb9678599ab4733c4aa52d151

SHA1
0ae9ea0f09abad8d40a24c6c64bf76bef6ea6b54

SHA256
19c0e6d97058af92fd02e59371624516e8c73be96920e13896c64f134bfd8255

SHA512
8c42e4073a1ebb962f10f787615521c1e4ba9c90b7c78b3f9613fb2da5ab235acdf99cf5342a15c17c45c67a5c4b5c674a17cbc4e9d97c7dda9bbef78c098b0a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\stpgnvgp\CSCAE63B2B36D744C598B98C817BC6F9C5.TMP

Filesize
652B

MD5
d62fc544910327beefe99aa0268f8307

SHA1
c4cb04b91d33c2ad8fc0c4b4f66a60ab1ad6aac1

SHA256
12abab0dd38d8f13551710335b823cba4673d4abc9eba022bbee27a8cc440aa2

SHA512
c5f9c770077517e7479b13cbf8f5a98c0690c6adfec8d4eed1bb21eee984033950849290f00551474f1b603568b7846cba4a8f2256e35a77f6fa1f378dc48c08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\stpgnvgp\stpgnvgp.0.cs

Filesize
10KB

MD5
f8284f43aa8e48242dff1cad24736fcd

SHA1
ba8c41bc6175185a0bdbf8778df92e66a7029c65

SHA256
e12c8c4a47176808b9117ec2aa27c2afaf4bdddcd2f60eea48696aa7daa747f6

SHA512
4e84606d99d853f915662ffc996ac426fe7f02e90009f58c25a07c86bc84120c7d26dd2bfee3efc78099af7e729a5a6d27c611147eb64f908a9b58caa0a6b69c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\stpgnvgp\stpgnvgp.cmdline

Filesize
204B

MD5
350e05b92ae22d3b9059ac4a871f6303

SHA1
8e33510db69f026a4336493d66cb72b4336063dd

SHA256
49d91040d871dd6f77bdf479f660cc4c820f56cec9fed1a98ffcd69a03a5e25c

SHA512
061c46338e766dfdf5f16a5bc1cff64e88ecf26ea0c2be1cb0124561e2a22f8e48d6d66be3a3c712df2b2ff805fa897318ba307e2efc5911d9d8b3ac3759b062

Download Submit
memory/2552-19-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/2552-1-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

Filesize
56KB

Download
memory/2552-5-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/2552-15-0x00000000018B0000-0x00000000018B8000-memory.dmp

Filesize
32KB

Download
memory/2552-0-0x000000007526E000-0x000000007526F000-memory.dmp

Filesize
4KB

Download
memory/3644-21-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/3644-28-0x0000000006320000-0x0000000006386000-memory.dmp

Filesize
408KB

Download
memory/3644-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3644-22-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3644-23-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/3644-24-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/3644-27-0x00000000067F0000-0x000000000688C000-memory.dmp

Filesize
624KB

Download
memory/3644-20-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3644-29-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3644-30-0x0000000006B90000-0x0000000006BB2000-memory.dmp

Filesize
136KB

Download
memory/3644-31-0x0000000006BC0000-0x0000000006F14000-memory.dmp

Filesize
3.3MB

Download
memory/3644-32-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3644-33-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3644-34-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing