asyncrat | fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04

Analysis

max time kernel
116s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
Size

35KB
MD5

83f2a3d7087d8db71d9aec9dc64c5d30
SHA1

41980bc821013bb198358dd2362380027967b6f9
SHA256

fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04
SHA512

6a9c3883d487d8c09c84e4920e4a1f828c58afa521a7477010b3a7780817d3fc1e7f18ac526a212a536d673d5a60f841f75d30f9a776303bdebf5b191ec19a81
SSDEEP

768:eeBy5oxQY0QDvZtt+cty5ZpyZngfNO+M4aSSc:ew4oxZjz0NkgfNO+MGT

Score

10^/10

asyncrat stormkitty venomrat discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/2136-22-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2136-24-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2136-20-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2136-19-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral1/memory/2136-26-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 5 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/2136-22-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2136-24-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2136-20-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2136-19-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT
behavioral1/memory/2136-26-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 808 set thread context of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe
2136	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
Token: SeDebugPrivilege	2136	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2136	RegAsm.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 2080	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	30
PID 808 wrote to memory of 2080	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	30
PID 808 wrote to memory of 2080	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	30
PID 808 wrote to memory of 2080	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	30
PID 2080 wrote to memory of 2180	2080	csc.exe	32
PID 2080 wrote to memory of 2180	2080	csc.exe	32
PID 2080 wrote to memory of 2180	2080	csc.exe	32
PID 2080 wrote to memory of 2180	2080	csc.exe	32
PID 808 wrote to memory of 2676	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	33
PID 808 wrote to memory of 2676	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	33
PID 808 wrote to memory of 2676	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	33
PID 808 wrote to memory of 2676	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	33
PID 808 wrote to memory of 2676	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	33
PID 808 wrote to memory of 2676	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	33
PID 808 wrote to memory of 2676	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	33
PID 808 wrote to memory of 2336	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	34
PID 808 wrote to memory of 2336	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	34
PID 808 wrote to memory of 2336	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	34
PID 808 wrote to memory of 2336	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	34
PID 808 wrote to memory of 2336	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	34
PID 808 wrote to memory of 2336	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	34
PID 808 wrote to memory of 2336	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	34
PID 808 wrote to memory of 2044	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	35
PID 808 wrote to memory of 2044	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	35
PID 808 wrote to memory of 2044	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	35
PID 808 wrote to memory of 2044	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	35
PID 808 wrote to memory of 2044	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	35
PID 808 wrote to memory of 2044	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	35
PID 808 wrote to memory of 2044	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	35
PID 808 wrote to memory of 1368	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	36
PID 808 wrote to memory of 1368	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	36
PID 808 wrote to memory of 1368	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	36
PID 808 wrote to memory of 1368	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	36
PID 808 wrote to memory of 1368	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	36
PID 808 wrote to memory of 1368	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	36
PID 808 wrote to memory of 1368	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	36
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37
PID 808 wrote to memory of 2136	808	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	37

C:\Users\Admin\AppData\Local\Temp\fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
"C:\Users\Admin\AppData\Local\Temp\fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0a0ynb2b\0a0ynb2b.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB635.tmp" "c:\Users\Admin\AppData\Local\Temp\0a0ynb2b\CSCBB2B258A50294DDABFB90C811CFBE7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0a0ynb2b\0a0ynb2b.dll

Filesize
9KB

MD5
cf9b84eebdcc5b9116703bf727dc1abc

SHA1
c3f333c5dce42f7ed6bdc17e1f92ca682adcb8f3

SHA256
2da07a9e902df6cfd240f8d23fa09752227a9e44cf243370f5613e2be5b53526

SHA512
df9f80a5b379d995925075f875c2bee5db6a10e70c197c3b6b6cb89a91d205031ca0390394d8ccec589d54a697d7eed2e84c0b011f8249aebf625e273ee7ee28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB635.tmp

Filesize
1KB

MD5
0d39c8be95dc8c2fa620dfe820066a94

SHA1
7efe407b5854d895fdd7d918d4ab10a21cf50c17

SHA256
e134fbd3b74fe756774bde083d99331ab3a429b2fe883d9d698001cc1a4ac020

SHA512
8a7bb8d0f408fe76689dee462dc1a496b6edbc0580b1cab3aa67d87c15f5c112ae215d7fe39264874d3017c3398f6e48020a1009716aafcf6fb4cf620950a0ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0a0ynb2b\0a0ynb2b.0.cs

Filesize
10KB

MD5
f9f6e35df4fa6c35bdf52625d3641105

SHA1
301af598f3f83581217561f3de8c74a3051a0dfd

SHA256
2e555b424b335bb9b7817c1d3ee815650549a90cdd22f4d8235460ecc0a12bbf

SHA512
461ceb488bece4ff2f86382d91b3adab1a02e2f5f3ce1ae222a842f859664c3b4c71b6e7dae986a824eab735e17e38dafd081e252354bdbaf8854ae9a6a72b28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0a0ynb2b\0a0ynb2b.cmdline

Filesize
204B

MD5
86cc397e3b7489f131d94af26def6215

SHA1
aefd29fd654848b7be7094582a28b62693528407

SHA256
308d6e8983ead7bd848a8676a402b70a41c91db5f7051a9c63777ab99b744412

SHA512
54e85da63c853b1cb6eac82313fbc0b38700c7e00d61232dc19f8317f09721fccd3c2e97391069ac812a4c77637f663b7e9b7f4d1e9f2c062e5ea511bdce6eb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0a0ynb2b\CSCBB2B258A50294DDABFB90C811CFBE7.TMP

Filesize
652B

MD5
85d1cf1a6ff74a6b650ddd3e2f3fe0be

SHA1
13bd30683f81a44982c420f538169ef6f87e430d

SHA256
fba2e4c6233c4a55139079ba555c7522f8d97565a4887ce78f611e591a1c01d0

SHA512
b5377d6e6b66f086788d98786c9f0ff2f06a9b803e0ef7d37727541f406f0484eb4e089a5bfaa21919bba8970655762bd8c8a69a6c3f5b83ac9d0a41baf21300

Download Submit
memory/808-15-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/808-5-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/808-1-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/808-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/808-27-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2136-18-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2136-22-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2136-24-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2136-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-20-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2136-19-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2136-26-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download