asyncrat | 58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6

General

Target

58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
Size

35KB
MD5

431ce7e93e9313ebbda1699b82522527
SHA1

9875ec75df23533fed3579de34acc58918a348c1
SHA256

58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6
SHA512

6bc78822500624376940c117daff722e7538e2e77c0c022a9e828231b07b84b9a60ed14ef16143e3bc358ddd7a2e28f3a6c436a4d50fa9fb84f47d540df3e29f
SSDEEP

768:eeBy5oxQY0QDvZtt+cty5ZpyZngfNO+M4aSScy:ew4oxZjz0NkgfNO+MGTy

Score

10^/10

asyncrat stormkitty venomrat discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/2712-28-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2712-26-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2712-24-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2712-21-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2712-22-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 5 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/2712-28-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2712-26-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2712-24-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2712-21-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2712-22-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe
2712	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
Token: SeDebugPrivilege	2712	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2712	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1784	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	30
PID 1992 wrote to memory of 1784	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	30
PID 1992 wrote to memory of 1784	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	30
PID 1992 wrote to memory of 1784	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	30
PID 1784 wrote to memory of 2388	1784	csc.exe	32
PID 1784 wrote to memory of 2388	1784	csc.exe	32
PID 1784 wrote to memory of 2388	1784	csc.exe	32
PID 1784 wrote to memory of 2388	1784	csc.exe	32
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33
PID 1992 wrote to memory of 2712	1992	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	33

C:\Users\Admin\AppData\Local\Temp\58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
"C:\Users\Admin\AppData\Local\Temp\58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5sy4lrmm\5sy4lrmm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA61F.tmp" "c:\Users\Admin\AppData\Local\Temp\5sy4lrmm\CSCACE74B7843864C7DB648F451658B4829.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5sy4lrmm\5sy4lrmm.dll

Filesize
9KB

MD5
0964e5f3dcc34e720526b2a0ef09429c

SHA1
2b02e4347032c64d866486a90e2ee553b44f4824

SHA256
0afbc5a42cac765e0f66ecb46c29dd55a214737c559d6ef4860344d9ce0fcd5b

SHA512
ffc78253d4eca30da35126eca76dcd50d91cc5829e50305839ca04f79fc033e28c20c6e3a1e8c6356b91c118f133e9a8f188eef08edd6b577c16bb1b944923c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA61F.tmp

Filesize
1KB

MD5
9d71acd8179585dbad9b2e4dbecf9754

SHA1
ea839646d4ada0276ced3e5421d7fb6a14727795

SHA256
13bd77428a2fce7d591a33de28261c5962e16d14f34fb76405c9ead7e2b89ed6

SHA512
e4eeca770f5f367a9a2cc10ba3006aa2c78a56475c21fd550ad69557390b824c85e9a06bd715fec9991af8a48fe3ebe8d2cc6147fdfe8769c747fc6fa24cc581

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5sy4lrmm\5sy4lrmm.0.cs

Filesize
10KB

MD5
f9f6e35df4fa6c35bdf52625d3641105

SHA1
301af598f3f83581217561f3de8c74a3051a0dfd

SHA256
2e555b424b335bb9b7817c1d3ee815650549a90cdd22f4d8235460ecc0a12bbf

SHA512
461ceb488bece4ff2f86382d91b3adab1a02e2f5f3ce1ae222a842f859664c3b4c71b6e7dae986a824eab735e17e38dafd081e252354bdbaf8854ae9a6a72b28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5sy4lrmm\5sy4lrmm.cmdline

Filesize
204B

MD5
dfef11f389c3933956541940b895621a

SHA1
95512388504212de0f4738eaf03e49b9f1ebfb85

SHA256
33ada0a40ef83dc4da109505d3b2c39648259833c6c82331bf7dc74a8880dad9

SHA512
8ee1bd2f43f13594610d2c799ec94d3d19ba5ada50c2cba40ad29f793da68d9cf1cf653de4d5089c7dad3299b4bbbaa81ebcf3fded8c245f4130c94c7ed6f231

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5sy4lrmm\CSCACE74B7843864C7DB648F451658B4829.TMP

Filesize
652B

MD5
8c738b21fad7e2e27b78c0e8b86f11d3

SHA1
b56f5a54b723251fb5767372def87845848ae1df

SHA256
aab2e6cb9889e76897015caf11edcc4773708fdffaaefcc8d4bb0e131de8d40b

SHA512
57b6183e32a753f05ef08d597fc09fb1d86848b2044b6cd964ee904ac91224e0de676c0b60c8261055f0765692add1a4243cd7395d5deaaddedaf23031028be2

Download Submit
memory/1992-15-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1992-5-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/1992-1-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/1992-0-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/1992-29-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2712-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2712-28-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2712-26-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2712-24-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2712-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-21-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2712-19-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2712-22-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing