asyncrat | ffc2c34d728009ffcdbce2fdb7a700516165f0ca449672174e9cebf78bb52bc9

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_858a8298df3f289376bd4903c6f2ab7a_black-basta_luca-stealer.exe
Size

6.0MB
MD5

858a8298df3f289376bd4903c6f2ab7a
SHA1

9467aa77a2d368ed7593305f3bd20ff984129595
SHA256

ffc2c34d728009ffcdbce2fdb7a700516165f0ca449672174e9cebf78bb52bc9
SHA512

4204ef3ea6917d68371c5ecdf5df0780b2b9a2b16262f94a0f60724b8ec97c9a33697a4a9793766013abb81a86ea348812291ec83f6ed2074aa5e054f8d25a77
SSDEEP

98304:NMuUL5ne9zxKYgY7hy4d96G0e+hFhxgzTQpW11w65G1OR5B8J8gID1aNFO9Y:NMu2eNUYg0Eeqs/GMLN5B8JWBGFO9Y

Score

10^/10

asyncrat stormkitty venomrat discovery persistence rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2592-17-0x0000000001200000-0x000000000153A000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/2592-17-0x0000000001200000-0x000000000153A000-memory.dmp	VenomRAT

Venomrat family
venomrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	2025-04-04_858a8298df3f289376bd4903c6f2ab7a_black-basta_luca-stealer.exe

Executes dropped EXE 1 IoCs

pid	Process
1672	a6.exe

Loads dropped DLL 2 IoCs

pid	Process
1672	a6.exe
2380	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortex XDR Versus = "rundll32.exe C:\\Users\\Admin\\Documents\\Volternon0549303.dll,EntryPoint"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 2592	1672	a6.exe	107
PID 2380 set thread context of 3628	2380	rundll32.exe	116

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_858a8298df3f289376bd4903c6f2ab7a_black-basta_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe
1672	a6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	csc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2592	csc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 1672	3880	2025-04-04_858a8298df3f289376bd4903c6f2ab7a_black-basta_luca-stealer.exe	89
PID 3880 wrote to memory of 1672	3880	2025-04-04_858a8298df3f289376bd4903c6f2ab7a_black-basta_luca-stealer.exe	89
PID 3880 wrote to memory of 1672	3880	2025-04-04_858a8298df3f289376bd4903c6f2ab7a_black-basta_luca-stealer.exe	89
PID 1672 wrote to memory of 2592	1672	a6.exe	107
PID 1672 wrote to memory of 2592	1672	a6.exe	107
PID 1672 wrote to memory of 2592	1672	a6.exe	107
PID 1672 wrote to memory of 2592	1672	a6.exe	107
PID 1672 wrote to memory of 2592	1672	a6.exe	107
PID 1672 wrote to memory of 2592	1672	a6.exe	107
PID 1672 wrote to memory of 4332	1672	a6.exe	108
PID 1672 wrote to memory of 4332	1672	a6.exe	108
PID 1672 wrote to memory of 4332	1672	a6.exe	108
PID 4332 wrote to memory of 568	4332	cmd.exe	110
PID 4332 wrote to memory of 568	4332	cmd.exe	110
PID 4332 wrote to memory of 568	4332	cmd.exe	110
PID 3120 wrote to memory of 2152	3120	cmd.exe	113
PID 3120 wrote to memory of 2152	3120	cmd.exe	113
PID 2152 wrote to memory of 2380	2152	rundll32.exe	114
PID 2152 wrote to memory of 2380	2152	rundll32.exe	114
PID 2152 wrote to memory of 2380	2152	rundll32.exe	114
PID 2380 wrote to memory of 3628	2380	rundll32.exe	116
PID 2380 wrote to memory of 3628	2380	rundll32.exe	116
PID 2380 wrote to memory of 3628	2380	rundll32.exe	116
PID 2380 wrote to memory of 3628	2380	rundll32.exe	116
PID 2380 wrote to memory of 3628	2380	rundll32.exe	116
PID 2380 wrote to memory of 3628	2380	rundll32.exe	116

C:\Users\Admin\AppData\Local\Temp\2025-04-04_858a8298df3f289376bd4903c6f2ab7a_black-basta_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_858a8298df3f289376bd4903c6f2ab7a_black-basta_luca-stealer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\a6.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\a6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Cortex XDR Versus" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\Volternon0549303.dll",EntryPoint /f & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Cortex XDR Versus" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\Volternon0549303.dll",EntryPoint /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\Documents\Volternon0549303.dll,EntryPoint
1⤵
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\Documents\Volternon0549303.dll,EntryPoint
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\Documents\Volternon0549303.dll,EntryPoint
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\a6.exe

Filesize
659KB

MD5
0924e9b7f251eb216e0ef70e3057c686

SHA1
6fa64b120cb20a8cd404ad4fc428bba8efb8cf0c

SHA256
e9a48916010f2c1671b273669b4ca20bab90e17d4d419af785e28e68bcdc6a60

SHA512
1ef47fee049256be4983a3751168c0ea63370c587ecb51a98480bfff704cfd0d9ff26646fd77db6dfa280493899e8687f5a0ee9dd0c9f34323f9c98079f7830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3d11.dll

Filesize
8.0MB

MD5
26dc828c3bbf4b79dc889d10f6e2b6ca

SHA1
fac4f8f6839aea25042baf4ac0cde4e6ef0996ea

SHA256
e39fb5d2c52784d53c9e548342787b0ffd213b44f0bed6009a4a172e72cc286d

SHA512
cbcf63585d4940a660faef45db3df505444bf8c22c1362c0b708ffdd5b458edf438a1b5d0957563b7e43d3cc633155dbe2e460d791ee6b56936136f943338677

Download Submit
memory/1672-16-0x00000000013A0000-0x00000000013CE000-memory.dmp

Filesize
184KB

Download
memory/1672-20-0x0000000002F80000-0x0000000002F9B000-memory.dmp

Filesize
108KB

Download
memory/2592-17-0x0000000001200000-0x000000000153A000-memory.dmp

Filesize
3.2MB

Download
memory/2592-18-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download
memory/2592-19-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/2592-24-0x0000000006DE0000-0x0000000006E72000-memory.dmp

Filesize
584KB

Download
memory/2592-25-0x0000000006DB0000-0x0000000006DBA000-memory.dmp

Filesize
40KB

Download