Analysis
-
max time kernel
83s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
28-06-2024 09:18
Errors
General
-
Target
6d13d147a209e3be044035f0c03b7bde.exe
-
Size
47KB
-
MD5
6d13d147a209e3be044035f0c03b7bde
-
SHA1
1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
-
SHA256
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
-
SHA512
a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9
-
SSDEEP
768:IuyxNTAoZjRWUJd9bmo2qL2TJ4+3Qk8sna9lzPIaj9vtqb5HTKsvWy0oKCnX5Eev:IuyxNTAGL2Mk839lcaj9vIbJWsZoWFnt
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
94.232.249.111:6606
94.232.249.111:7707
94.232.249.111:8808
o6tEeoRxJb0n
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469
https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage?chat_id=5795480469
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
-
Async RAT payload 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 16 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Start PowerShell.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe"C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp81B3.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"6⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile8⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\findstr.exefindstr All8⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid8⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"6⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile8⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\findstr.exefindstr All8⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid7⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid8⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 004⤵
-
C:\Windows\SysWOW64\shutdown.exeShutdown /s /f /t 005⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa399b855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\System\Process.txtFilesize
4KB
MD547b9080cf3b36ab1f368c91a41b3d82e
SHA1ac79537ca12aef72207b3bb198a28d673efd20fd
SHA25668ead6f5834e8ffb25f858b785b5e6343dc970621edebb9d4172ec82c41f8384
SHA512694baff9bb916969f11e323342b80db66379eb1a316f4e0007515997915f0f5ba5de186e1f0f19cc8a5d149b3edf917751fe1478d08a3a3251e140f0d096e6e5
-
C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\msgid.datFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD55315900105942deb090a358a315b06fe
SHA122fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA51277e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5681a67c52d39f65864d10b88d169a006
SHA1a492fd83f28dd136afcbd397607e130000f9e0ad
SHA25627e4865cc6709e4ba14e6a8d29e838e0a6643232acf0544179efafbed07712f0
SHA51279bbe58168c27530ec63eb75e03d2f410a7d1e9bff685ce02face30054a7baaf272bfe46f7a40fda1bfd2248357d51d68e3f7d88c07fa58416074f53919797ee
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpwe23z3.eas.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\places.rawFilesize
5.0MB
MD5b01182fd0bcfecd25f0378b6ddd50714
SHA1faf0abd8ccde904e4ec90d216f9dada2c3a046d3
SHA256921d4d81de816c9f7add02a5c5dc28209959a2ce1bdd64eff6675a5cdbd90a55
SHA512a409fe0c1fbbcc158d47f6f727446ddf754b99ec235715f5f03b66a4f0c91b93c8bbd9e7ab235ed65e9b0abdd4bf2899dd3e5ec4afa8f45822e6f3dbc9d1bd7d
-
C:\Users\Admin\AppData\Local\Temp\tmp81B3.tmp.batFilesize
151B
MD59c74606d9a3e368fa6adff06939ce1b7
SHA1dcde2bcc5a5a0b49e7ffab2c1882d453112d65a5
SHA256af18964e7cf7415c4c46a471aef9ce0d9893be82137b873997ef9d665e6b10f8
SHA51204d737ea503e1946a16940a6db13ceb3798dae845c5b73ee6ec540acfe1e021350b8ccd8b36ace1cc7608b4fb2ce9887708296a5b213bf995bb9910ceb82aded
-
C:\Users\Admin\AppData\Local\Temp\tmpF8A8.tmp.datFilesize
100KB
MD59df444e0de734921d4d96deeeac4b16e
SHA131542622ecf896b93d830e21595091aef8742901
SHA2561d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900
SHA5122de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957
-
C:\Users\Admin\AppData\Local\Temp\tmpF8AA.tmp.datFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Temp\tmpF8BD.tmp.datFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\tyhdxz.exeFilesize
175KB
MD5ff895d93516828450e0c0dd0e467e1d0
SHA1a19edaa4b1fbfb8b3c8fe61d4cac894beb921b39
SHA25624c4301e81d0f742d7470fdaae62499b9793265f2e78d77c71e8b84bf1718cca
SHA512c3758aa89990653619c4803122fd0761e1c2709fea0dd9b89317ac4627d4e73e54a15397f121716b1dd48fb180fbbd2ed4a3c7b799b11743b2f9079cd1b9f75e
-
C:\Users\Admin\AppData\Local\Temp\zqbygv.exeFilesize
175KB
MD5da34ea26ddfedfd7966e8aedf0bb93e6
SHA1ba30bde364d564268d175090364158cb66c165a9
SHA256817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20
SHA512fbf634fd22ec37a65540c6ad1968b53666308d4d31a151c26b1444e242de40c95c0f48f96010bc72e5e0e9a10982b4f56590e96aded12015de915d7d86af8dff
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
47KB
MD56d13d147a209e3be044035f0c03b7bde
SHA11eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
SHA2569c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
SHA512a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9
-
memory/1444-210-0x00000000002D0000-0x0000000000302000-memory.dmpFilesize
200KB
-
memory/1444-374-0x00000000065D0000-0x00000000065E2000-memory.dmpFilesize
72KB
-
memory/3628-23-0x00000000059E0000-0x0000000006008000-memory.dmpFilesize
6.2MB
-
memory/3628-40-0x0000000006DA0000-0x0000000006DC2000-memory.dmpFilesize
136KB
-
memory/3628-35-0x0000000006280000-0x00000000065D4000-memory.dmpFilesize
3.3MB
-
memory/3628-36-0x0000000006870000-0x000000000688E000-memory.dmpFilesize
120KB
-
memory/3628-37-0x00000000068A0000-0x00000000068EC000-memory.dmpFilesize
304KB
-
memory/3628-38-0x0000000007880000-0x0000000007916000-memory.dmpFilesize
600KB
-
memory/3628-39-0x0000000006D50000-0x0000000006D6A000-memory.dmpFilesize
104KB
-
memory/3628-24-0x00000000060D0000-0x00000000060F2000-memory.dmpFilesize
136KB
-
memory/3628-25-0x00000000061A0000-0x0000000006206000-memory.dmpFilesize
408KB
-
memory/3628-22-0x00000000052B0000-0x00000000052E6000-memory.dmpFilesize
216KB
-
memory/4044-44-0x0000000000210000-0x0000000000242000-memory.dmpFilesize
200KB
-
memory/4044-190-0x0000000005620000-0x00000000056B2000-memory.dmpFilesize
584KB
-
memory/4044-212-0x0000000005750000-0x000000000575A000-memory.dmpFilesize
40KB
-
memory/4372-207-0x0000000006670000-0x00000000066BC000-memory.dmpFilesize
304KB
-
memory/4372-205-0x0000000005D80000-0x00000000060D4000-memory.dmpFilesize
3.3MB
-
memory/4872-20-0x0000000007840000-0x000000000785E000-memory.dmpFilesize
120KB
-
memory/4872-397-0x0000000008590000-0x00000000085F2000-memory.dmpFilesize
392KB
-
memory/4872-19-0x00000000076E0000-0x0000000007742000-memory.dmpFilesize
392KB
-
memory/4872-18-0x0000000007760000-0x00000000077D6000-memory.dmpFilesize
472KB
-
memory/4872-17-0x0000000006370000-0x00000000063D6000-memory.dmpFilesize
408KB
-
memory/4872-213-0x0000000074FD0000-0x0000000075780000-memory.dmpFilesize
7.7MB
-
memory/4872-16-0x0000000006BB0000-0x0000000007154000-memory.dmpFilesize
5.6MB
-
memory/4872-13-0x0000000074FD0000-0x0000000075780000-memory.dmpFilesize
7.7MB
-
memory/4872-400-0x0000000074FD0000-0x0000000075780000-memory.dmpFilesize
7.7MB
-
memory/4872-399-0x0000000007F40000-0x0000000007FA4000-memory.dmpFilesize
400KB
-
memory/4872-398-0x0000000008D10000-0x0000000008D1A000-memory.dmpFilesize
40KB
-
memory/4872-368-0x0000000007A60000-0x0000000007AC8000-memory.dmpFilesize
416KB
-
memory/5020-1-0x0000000000520000-0x0000000000532000-memory.dmpFilesize
72KB
-
memory/5020-0-0x000000007508E000-0x000000007508F000-memory.dmpFilesize
4KB
-
memory/5020-2-0x0000000075080000-0x0000000075830000-memory.dmpFilesize
7.7MB
-
memory/5020-3-0x0000000004EE0000-0x0000000004F7C000-memory.dmpFilesize
624KB
-
memory/5020-8-0x0000000075080000-0x0000000075830000-memory.dmpFilesize
7.7MB