Overview

overview

10

Static

static

7

L5shRfh.exe

windows7-x64

10

L5shRfh.exe

windows10-ltsc 2021-x64

10

L5shRfh.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    152s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    12-02-2025 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    L5shRfh.exe

  • Size

    6.2MB

  • MD5

    3cb427c5f783752ea688c135b516dbb4

  • SHA1

    8a9e0937d7db2b951f50c7cc1f0ebf42aaafb21b

  • SHA256

    230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005

  • SHA512

    f35074310eb13beb43039b440af695500e0eb4ff9634a820be9838e6bddeda8ca7d05ef969fe21f2ffd856bb88022d6e6c0b3b59cb131b90dcae22fe238f9697

  • SSDEEP

    98304:H7SmQ0OBrD+f8wNVrq2+ow64WfRnZUo7SmQ0OBrD+f8wNVrq2+ow64WfRnZUW:HOmSDktNjZUoOmSDktNjZUW

Score
10/10
asyncratstormkittydiscoveryratstealer

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Downloads MZ/PE file 1 IoCs
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\L5shRfh.exe
    "C:\Users\Admin\AppData\Local\Temp\L5shRfh.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Users\Admin\AppData\Local\Temp\L5shRfh.exe
      "C:\Users\Admin\AppData\Local\Temp\L5shRfh.exe"
      2⤵
        PID:3216
      • C:\Users\Admin\AppData\Local\Temp\L5shRfh.exe
        "C:\Users\Admin\AppData\Local\Temp\L5shRfh.exe"
        2⤵
          PID:1120
        • C:\Users\Admin\AppData\Local\Temp\L5shRfh.exe
          "C:\Users\Admin\AppData\Local\Temp\L5shRfh.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:692
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 1320
            3⤵
            • Program crash
            PID:4448
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 852
          2⤵
          • Program crash
          PID:4256
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3332 -ip 3332
        1⤵
          PID:1916
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 692 -ip 692
          1⤵
            PID:2040
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0QzODBCQ0EtRjNGMS00QjUzLUIyQUYtQTczODM2NDBDRDlFfSIgdXNlcmlkPSJ7NzUyN0U0MkYtRkMxRi00RERBLUJGRkUtNkExQzI5QzBEQUFEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODgxODU2NTQtOUY3Mi00NURBLUIyQjMtM0UyM0ZERDNCODU4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcwMTc2IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5NzIxMjIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDg1NDA1NDgwOSIvPjwvYXBwPjwvcmVxdWVzdD4
            1⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:4320

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/692-4-0x0000000000400000-0x0000000000704000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/692-6-0x0000000073EB0000-0x0000000074661000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/692-7-0x0000000073EB0000-0x0000000074661000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/692-9-0x00000000058B0000-0x0000000005916000-memory.dmp

            Filesize

            408KB

            Download

          • memory/692-10-0x0000000073EB0000-0x0000000074661000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3332-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3332-1-0x0000000000480000-0x0000000000AC0000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/3332-2-0x0000000005A00000-0x0000000005FA6000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3332-5-0x0000000073EB0000-0x0000000074661000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3332-8-0x0000000073EB0000-0x0000000074661000-memory.dmp

            Filesize

            7.7MB

            Download