asyncrat | fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04

General

Target

fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
Size

35KB
MD5

83f2a3d7087d8db71d9aec9dc64c5d30
SHA1

41980bc821013bb198358dd2362380027967b6f9
SHA256

fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04
SHA512

6a9c3883d487d8c09c84e4920e4a1f828c58afa521a7477010b3a7780817d3fc1e7f18ac526a212a536d673d5a60f841f75d30f9a776303bdebf5b191ec19a81
SSDEEP

768:eeBy5oxQY0QDvZtt+cty5ZpyZngfNO+M4aSSc:ew4oxZjz0NkgfNO+MGT

Score

10^/10

asyncrat stormkitty venomrat discovery rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2156-17-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/2156-17-0x0000000000400000-0x0000000000704000-memory.dmp	VenomRAT

Venomrat family
venomrat
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 2156	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	87

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe
2156	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
Token: SeDebugPrivilege	2156	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2156	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2848	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	83
PID 4948 wrote to memory of 2848	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	83
PID 4948 wrote to memory of 2848	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	83
PID 2848 wrote to memory of 3460	2848	csc.exe	85
PID 2848 wrote to memory of 3460	2848	csc.exe	85
PID 2848 wrote to memory of 3460	2848	csc.exe	85
PID 4948 wrote to memory of 3924	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	86
PID 4948 wrote to memory of 3924	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	86
PID 4948 wrote to memory of 3924	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	86
PID 4948 wrote to memory of 2156	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	87
PID 4948 wrote to memory of 2156	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	87
PID 4948 wrote to memory of 2156	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	87
PID 4948 wrote to memory of 2156	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	87
PID 4948 wrote to memory of 2156	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	87
PID 4948 wrote to memory of 2156	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	87
PID 4948 wrote to memory of 2156	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	87
PID 4948 wrote to memory of 2156	4948	fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe	87

C:\Users\Admin\AppData\Local\Temp\fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe
"C:\Users\Admin\AppData\Local\Temp\fb7b07bca2b99765cef91c503b85c68dd8d9ef306ade03882dbb67643be72b04N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atms3hrx\atms3hrx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FFD.tmp" "c:\Users\Admin\AppData\Local\Temp\atms3hrx\CSC6264B0ABB4B24141A7E3E2E2DC5CFFB9.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7FFD.tmp

Filesize
1KB

MD5
2ce4b0c50a7ef05893e45dca2e71b8c8

SHA1
63c19619d535c18c822cd49e5b2015f8a531c39d

SHA256
05ff7772a1305fb00cd4da03ae567247ffa7ac92b2408893078a23b9f9ad0ebe

SHA512
54c00d600b0686b1e804e2de4ba37950c0c31db2e853255b8b39fe8e82d1a684588289870f0bc634d76298feecaa4d0e8c608196b49ba3979e9d74ec7df3f32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\atms3hrx\atms3hrx.dll

Filesize
9KB

MD5
7be9dd4003927396424fd3d69d1bc7fd

SHA1
8e872a1041567265896b52bd2842bfc00ec201f7

SHA256
c0abe37c6f8569560ce9464a9af912b19d5783a55092b8e6c674727821d3c6de

SHA512
6301aeaf663515eba493b373f5fc12f86d311d8cd865892c1d7276dc30364ad127742714a0b0e552dc9eb8e1c1e223cd347a1d52cd70619c07f0321f5bf7b7aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atms3hrx\CSC6264B0ABB4B24141A7E3E2E2DC5CFFB9.TMP

Filesize
652B

MD5
7308f70e2c1a3b0fba25ad2889298114

SHA1
5418507ac3f2e1b8b1e52a4c9791376ac3769652

SHA256
e1ce0c49744bf385d095fc68eabd19a967f39faff8c42e6f6c832cbc8a9f9b15

SHA512
c00f90241d8dfbcdca19c39c1b72df38ad1055115201de2e658ee8d6f2a562e5495464f1191568548d215174ae3e1c46a8936adc06b5ff625f105e8d692aba90

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atms3hrx\atms3hrx.0.cs

Filesize
10KB

MD5
f9f6e35df4fa6c35bdf52625d3641105

SHA1
301af598f3f83581217561f3de8c74a3051a0dfd

SHA256
2e555b424b335bb9b7817c1d3ee815650549a90cdd22f4d8235460ecc0a12bbf

SHA512
461ceb488bece4ff2f86382d91b3adab1a02e2f5f3ce1ae222a842f859664c3b4c71b6e7dae986a824eab735e17e38dafd081e252354bdbaf8854ae9a6a72b28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atms3hrx\atms3hrx.cmdline

Filesize
204B

MD5
01477a4f073f6a8731631bae1774cc22

SHA1
5d7c19a5784f37693ab637435c8719ae8943f62e

SHA256
b9e989626fcfd6514689774ee0d786bbe3ca505de48e11fa44cc166124515367

SHA512
35373cec3fed2520809b06a2a0740293038bdead15879b6139692b506a1dd214cd9794bb1bcdc15f610ccdeb864821be3f62e34a18895c76f9a5dd7059b50af2

Download Submit
memory/2156-21-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/2156-17-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2156-20-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/2156-22-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/2156-23-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/2156-24-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/2156-25-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/4948-5-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/4948-1-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download
memory/4948-15-0x00000000030A0000-0x00000000030A8000-memory.dmp

Filesize
32KB

Download
memory/4948-19-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/4948-0-0x000000007505E000-0x000000007505F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing