asyncrat | 58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6

General

Target

58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
Size

35KB
MD5

431ce7e93e9313ebbda1699b82522527
SHA1

9875ec75df23533fed3579de34acc58918a348c1
SHA256

58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6
SHA512

6bc78822500624376940c117daff722e7538e2e77c0c022a9e828231b07b84b9a60ed14ef16143e3bc358ddd7a2e28f3a6c436a4d50fa9fb84f47d540df3e29f
SSDEEP

768:eeBy5oxQY0QDvZtt+cty5ZpyZngfNO+M4aSScy:ew4oxZjz0NkgfNO+MGTy

Score

10^/10

asyncrat stormkitty venomrat discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3100-17-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/3100-17-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4396 set thread context of 3100	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3100	RegAsm.exe
3100	RegAsm.exe
3100	RegAsm.exe
3100	RegAsm.exe
3100	RegAsm.exe
3100	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
Token: SeDebugPrivilege	3100	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3100	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 2376	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	83
PID 4396 wrote to memory of 2376	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	83
PID 4396 wrote to memory of 2376	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	83
PID 2376 wrote to memory of 4988	2376	csc.exe	85
PID 2376 wrote to memory of 4988	2376	csc.exe	85
PID 2376 wrote to memory of 4988	2376	csc.exe	85
PID 4396 wrote to memory of 3100	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	86
PID 4396 wrote to memory of 3100	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	86
PID 4396 wrote to memory of 3100	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	86
PID 4396 wrote to memory of 3100	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	86
PID 4396 wrote to memory of 3100	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	86
PID 4396 wrote to memory of 3100	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	86
PID 4396 wrote to memory of 3100	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	86
PID 4396 wrote to memory of 3100	4396	58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe	86

C:\Users\Admin\AppData\Local\Temp\58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe
"C:\Users\Admin\AppData\Local\Temp\58101c2daabca323dfdbe94a745cb8749f2b728e7ea2798b85866833d2c461f6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fsqmgrkf\fsqmgrkf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES902A.tmp" "c:\Users\Admin\AppData\Local\Temp\fsqmgrkf\CSC52B63FE3CED54744BD89347EDB597C4E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES902A.tmp

Filesize
1KB

MD5
4b7092ae63afdb96519b5647291d985a

SHA1
ca721a6a9be85794dca109e9b4ae69a24334273c

SHA256
c339307675a81f4cfd7f6e820c008dc37ce14a3cf794479154700d479bab6f03

SHA512
202e6cc89a154b1ccc3b676a87cf75caa8b93014e8b2da15a455770c76fb8a7df098f6b8b88ed51a503539a8ba19cfd61404b8bba189123c96781acea8d07082

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsqmgrkf\fsqmgrkf.dll

Filesize
9KB

MD5
6f11d8953e990d98a54ca9a1b5184e9f

SHA1
4f685af9b772e4d1f7816568eec41a8256fc1dc9

SHA256
c69d7c0ad7ed726e5a5b938d37963250d7d4a10f89ec1a19882b873c15d245a4

SHA512
bb0e4374700188c28632e648c67c5244d26131ccc88309b89218e289a389d3a9fa0c4f40a008538a1f8e9d6fab8886c82c1c27c260cd5ac289dd3522b6a0f704

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fsqmgrkf\CSC52B63FE3CED54744BD89347EDB597C4E.TMP

Filesize
652B

MD5
72f4dcf55546f50883de87b3f74ed4e6

SHA1
1c6b8fa9145c6e97420075111e6e9d209bf54200

SHA256
9f18bd953d7a27cd43d697106df3bd656a1b664fbb4573cc4158c015a7764e9d

SHA512
6572d86fa31965999de3ab1bc83fb5d6c699993f07a4a2a71e7fa45218420cd2531509c1e7b6f98337c9ad765c43110015941cef8c252c6d01569fcc81ed3682

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fsqmgrkf\fsqmgrkf.0.cs

Filesize
10KB

MD5
f9f6e35df4fa6c35bdf52625d3641105

SHA1
301af598f3f83581217561f3de8c74a3051a0dfd

SHA256
2e555b424b335bb9b7817c1d3ee815650549a90cdd22f4d8235460ecc0a12bbf

SHA512
461ceb488bece4ff2f86382d91b3adab1a02e2f5f3ce1ae222a842f859664c3b4c71b6e7dae986a824eab735e17e38dafd081e252354bdbaf8854ae9a6a72b28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fsqmgrkf\fsqmgrkf.cmdline

Filesize
204B

MD5
f9ba615e5c7163fa701fb3e0e41940ec

SHA1
806aac2a49c2a052abf44c6cb6bf01016f8c8cf0

SHA256
2b7c177ca7aecfc4acb75f983c05a3ef900ff3659488136e6166750199a91e4d

SHA512
784dd6ef215b1bdb5ff26ebeea64714d0080f095c755499faeec14f05991b328e710bb6af09370a2e08d201b95c0d4c895199cb8606d8358335267ad271e46d2

Download Submit
memory/3100-21-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/3100-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3100-20-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/3100-22-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/3100-23-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/3100-24-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/3100-25-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4396-5-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4396-1-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/4396-15-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download
memory/4396-19-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4396-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing