Analysis
-
max time kernel
871s -
max time network
870s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
-
submitted
28/02/2025, 17:20
General
-
Target
Infected.exe
-
Size
63KB
-
MD5
4283bcbe5bea251f8568efc572d431dd
-
SHA1
dee1cb4e0519ebcf092161ff125902aca428a4f1
-
SHA256
cfcc492a4c21493b0a1ca52ed0a0552f3388dabb40bfa1db94061269fe3afa4f
-
SHA512
2270742d31151236ff0a80b9a371a63bfe6bac8e8622a498324c9956711e31292ec61b95714a9f91f5dd9178eb1c22d43a82a7a81e8e0675a4b8bfee1e1296b4
-
SSDEEP
768:iqWcYBjjj78ZIC8A+X0iazcBRL5JTk1+T4KSBGHmDbD/ph0oXhpwq5vNlSuwdpqM:MZjLXdSJYUbdh9/DvKuwdpqKmY7
Malware Config
Extracted
asyncrat
Default
6.tcp.ngrok.io:17720
-
delay
1
-
install
true
-
install_file
sigma.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Stealerium family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Stormkitty family
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D69.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\sigma.exe"C:\Users\Admin\AppData\Roaming\sigma.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig5⤵
- Gathers network information
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\findstr.exefindstr All5⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\findstr.exefindstr All5⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\findstr.exefindstr All5⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "sigma"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "sigma"5⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD7D3.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149B
MD5a3ed0a062fe293774577881c4aa2d4c9
SHA1f760c41cd2d501e7a1d47a452da9b7044c9f8ff4
SHA256617b889784404e17637534fd422bc259911ed48d9a998cd1a1d37f73f360f5af
SHA5121832147630d8319936cd8216549d363f0532612d012f75b8f03c0e8cf17cd2a419a85d7291a184fd1c9b4ee05ffe32d150aef9b7ee2728c29ee041b30d753ef6
-
Filesize
154B
MD5320bd6422fe8baf441061241ca0b98f4
SHA1846e7b258658a3fe11ee7bdc49ece409a0a7cea9
SHA25672fe695bffb7d70299dfbdfb3f1482ee85b7076541c0ad67b1276ad4a33152ea
SHA512f63b22b45d83595feae3b04d3618820cc9de7f69c040c7db2e3acc0e9f63144461b2ed233687ed3f2a8c0e35b8a73df8702e57de9fd3e3ffe5ad8a0d1074141c
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
Filesize
24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
Filesize
74KB
MD5c1d73707aad6c33eea725c8023e34f52
SHA10dae6c08ec2d4fee3891a795502eaadf98caf207
SHA2561bf8e3b664443621458e1006b1a71b833c673e84e803ea07b0edea953f1c5557
SHA512cc821fae34b54e622b396a8bcdaf7e3d7f61dc271253f547e2655271eca316a5de0f6dbf8199a297e0d1f078cdd0c3b2bf127fcb75a90b5ad86ac847f2e6fa41
-
Filesize
1KB
MD5c7d744fed8aae836cb3018ec6cbe4119
SHA1862b4fb56bca7fd408f8fbe100b4de3ea08f3e83
SHA2567bf39556922a9166eea8c5d9db8c7fe6b5eb83660864a683f4c998b3e900a46e
SHA512e45f4503cc3674d6085dcef9c96516c8c6970b85a97104f192c580ef928f04411036c62027de872613a47027a70133dfd886c23b4da2c8f4287d4df75cd9f452
-
Filesize
2KB
MD561e19b5f061e97a40a4f2d3aa84743cb
SHA1ecd55a417aff876dae354aa4b2c575383610cc61
SHA2567b90ad5b66c46f9a4c4ef3f4fdc834ddcaa68896d70ad8dccb0aaac04a76df63
SHA5121043addec8b053c03449fe7f19eedb69ed8d04637cd7e9aed045c656a27d26503a59e1848ac603d609ebd3b26441b44d04ceea91ddd1bfd967b3d315c686adc2
-
Filesize
3KB
MD50354a3c6f298ee3f2f9e5b6c1fd93e94
SHA1a3ac3fa53ec508c6a8de9d2feb13bf517bf9c331
SHA256bebf1f812b56855af09a1a583e8054456f5c94770282d1d0ad6441f7183bcd91
SHA512c25a457b671de88b45ea5b9346f261b2ddf39104a9c4760d143ddb7148b7922e88d1b84763c4ba87811497f6bd5a147647c10f0cbb88cd597eb7a73a7b4d74f7
-
Filesize
4KB
MD535ef226425c9728baf2cf6dc1b5b1e12
SHA10b6c6333cf1a4a906f16bffca0bfcb598f43d6ae
SHA25669fc84fe66a32881b63508d73eedf87bba385a11f1cc57da9678be6f39c423ca
SHA5124057bd9d91665b33533db2422a7a83fdf3386309b2874b58c58b39e51598a6e303f8b7ece6e8b78d43c3ecad332f6eda42461cbfe06fcd3bfb2b9d62d816a867
-
Filesize
1KB
MD5047fd9bdecbf0f4eb05ca0650c49b95d
SHA18b164542a658754cb6a9f70b07c2103af5561f58
SHA256c2a1302ec3677ef683b8fe0c45793ac976217127676908c11ea358cdae30301e
SHA5120104116b0f97a86d04e4ffff87579302ed9acdc255f4e457b11e600af4af331a9993d2fc4fac3fc0d91e65bcd98afab33021221ff0f7687bd598f3a4c5dbf9bc
-
Filesize
2KB
MD55e5a17a7ce6ce6dac9b7784ba961ec0e
SHA1d8850227e5b4d13b50eafe78eebc01742fd93e2c
SHA256a72eefdea1c11d9ca6856cb20139e2c4e43b6239fb45e014f6e22dfcc9c2bb16
SHA512fbfb6bd25a8d42565034a80f0cb1d19a113244d734181e664397646b8c2ebf7aea602caecb2d46e53f13b0839e84fcde10b2ce63c30f22a8dba47a88c86805e8
-
Filesize
3KB
MD5d91b8650e6fe974807a6f399d362d94e
SHA187464d050d00e160917b98e9d261428ecd365723
SHA256d76c665a366c3bc5a3cc80ee89c59888cea84d1584a5b9b3e10bd17ca4f5eec5
SHA512e4432275a248831db15543e43279fd8f6d6259dc327ade606d96779ef7a874ccbbb5a4407864aeb8a77f0bb181abd3575ed567cc1044a6a96086f7f63e189e32
-
Filesize
4KB
MD55b91e0d2de72e12658be4b4b050f38c5
SHA161a0903fa1824a6e9294abd079d3339878f41e45
SHA2569008d9d58d92149c6ee60998a227c59811c056565d565f22afa9500503903f2c
SHA5124dbb41116dd88db710a152ba1e9a9dfcb6ae834135455935eadd9b6b05256126fae2bead3b1500b79cc780a10a32d1f86337038ac9eb6b8eba89b25ade6f32c7
-
Filesize
3KB
MD5d03d34051213abe22312be215cc9021f
SHA15b9cbf2cfc8941196772d330a2c06bbf67ae2747
SHA25675959654ef62ea6cc448a160eda1e29b0c830ecdc804ec2b63701f42fbcd0642
SHA512444a7ae80bf186292cb6e482da15ff9dd2ef0814140ea250c5b549d98d23f51a65fc28ddcf2829a65eeb384aa88687aad561cc0836077b8f96f3102077f15f9d
-
Filesize
4KB
MD5095be096a901fb00ac2c1ecd14bbb19b
SHA1bcb3954aec1051ec23c6e4895cac15ede4245aad
SHA2566a2126a4e78ccd71f0f9e4c6ed1f20b8ed62db84f2c7df95cb63cd262d85b6d3
SHA51269a4ff4a3d2dc466c6ee4b1941bd7c5113cc77fa69d54a440e9d834460ba1d69c51d82723ad1db1bd19844f034f302322ce4acf0f2977f3b365b3a1abb1fd14c
-
Filesize
1KB
MD5b9cd6242c8995756a6b2bd53b71c709e
SHA1f65cd95b2973e49ac8c7829e6c233745ddf41bbb
SHA256f2ba7c0c9068431506e8ee72eaa75b31d63b863ac03c1266bfbc296d3ab4bad5
SHA512ea15b8d4632ddd277bea4173be0d7e424d6509200cf161812b9f8d8c596ed9c12472b6f04447713005e6ff9c3302c31b22e070c57d4e2af3b05ee1af871cc362
-
Filesize
2KB
MD5c05895a7f84f0e65b9a8e51587346621
SHA1eba2a6a8d06f342b193175465956a2e8666c4e1e
SHA2562cf6cd013e56f26b8d2428cf0785478d2d1a9ae8ec4cdfd6b23102244791d16c
SHA51262332386f6d960a6c9072a646b742bd51f939748f1e2a3ac092ef0604bed94397eb2c1a4854f601fc3b001d32a8544e42c57c52b8b4ad56b7bf48cd4380d7f12
-
Filesize
29B
MD599f6d2bb21787807753c364f127cc9d7
SHA18c51232f94cc6507913dd898a224e823e879b95e
SHA256a35720e3555f25da224fe50e7b4faa53d7003190f556d121f02e4cb119d56a9c
SHA512e0c76103b51064f0a7c215dac2e9dafa421c608880c96cc5a7bf842a764a5c3202b48d4d71716eca4d6d9b3f55117e82b9a53bae9d6db7d4dc9087971d8bdf31
-
Filesize
161B
MD51c16603846ce338ff79a3e1a3df47b70
SHA18c72c5fc1c50802206df78ff115e3e498822929f
SHA25642675e1099c01710cf7e5ef6acbed500b75611e3286b7233360cf24301bdbd37
SHA512b511df63299c3d3f11fc171a1c32ae50cc8964bd590c1f055f39758243800e18161287010755d5fc4ce36b01e5652d7680859f619fa2f22c25dca978c565a570
-
Filesize
63KB
MD54283bcbe5bea251f8568efc572d431dd
SHA1dee1cb4e0519ebcf092161ff125902aca428a4f1
SHA256cfcc492a4c21493b0a1ca52ed0a0552f3388dabb40bfa1db94061269fe3afa4f
SHA5122270742d31151236ff0a80b9a371a63bfe6bac8e8622a498324c9956711e31292ec61b95714a9f91f5dd9178eb1c22d43a82a7a81e8e0675a4b8bfee1e1296b4
-
Filesize
104KB
-
Filesize
488KB
-
Filesize
1.5MB
-
Filesize
120KB
-
Filesize
1.1MB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
712KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
8KB
