Overview

overview

10

Static

static

1

09dcf54c74...69.exe

windows7-x64

10

09dcf54c74...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669.exe

  • Size

    514KB

  • MD5

    395c4070233d059b2f1661fbdc6af0b4

  • SHA1

    c4e8741e9c21d4a5d9a45138232da82c751cc390

  • SHA256

    09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669

  • SHA512

    b3214c512ad6cde7f64ec1d9e8fab416917a248e77268f8516505d8f319168445e184c0182679ed8fdbc967fb6cb94b4e4fc4e2a760bc0f50aa154da81d6b3b9

  • SSDEEP

    12288:IOK+cDtCaKVvTkLsDSdWg51DKWpw06aioXy3FMk:xGAZVL1D5W2Hckmk

Score
10/10
asyncratstormkittydefaultpersistenceprivilege_escalationratstealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Drops desktop.ini file(s) 8 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669.exe
    "C:\Users\Admin\AppData\Local\Temp\09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:696
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:3052
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:880
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            4⤵
              PID:4212
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1252
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              4⤵
                PID:2196
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                4⤵
                • Event Triggered Execution: Netsh Helper DLL
                PID:1400
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,8447163055677043976,7218082390179600880,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:8
          1⤵
            PID:4392

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Event Triggered Execution

          1
          T1546

          Netsh Helper DLL

          1
          T1546.007

          Privilege Escalation

          Event Triggered Execution

          1
          T1546

          Netsh Helper DLL

          1
          T1546.007

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\10c099b054d4fb1c0fb406152849cbcb\msgid.dat
            Filesize

            1B

            MD5

            cfcd208495d565ef66e7dff9f98764da

            SHA1

            b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

            SHA256

            5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

            SHA512

            31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

            Download Submit
          • C:\Users\Admin\AppData\Local\fde07eb82f9e35ee698e139a3491c49f\Admin@PXHSTPPU_en-US\System\Process.txt
            Filesize

            4KB

            MD5

            351702de90f8b701f79e09812bec4c35

            SHA1

            db8b5a0e8d956f2aba70c1654bccadb7360c3bde

            SHA256

            e898d6b3354f96c78d28a28821c6dc652d980b7310d65559d60806244d816ca0

            SHA512

            088299271b4c393fcec07b97fa66519d716d38e4443db870d3145b0144c83410b1f1789a8fe9e64f1bc49bddc0cbc026bb1177f1434e04e8f2a0b23240ce72bd

            Download Submit
          • memory/696-6-0x0000000005A10000-0x0000000005A54000-memory.dmp
            Filesize

            272KB

            Download
          • memory/696-2-0x0000000005DE0000-0x0000000006384000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/696-4-0x0000000005970000-0x0000000005A0C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/696-5-0x0000000074F80000-0x0000000075730000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/696-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
            Filesize

            4KB

            Download
          • memory/696-7-0x0000000005CD0000-0x0000000005CDA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/696-8-0x0000000074F80000-0x0000000075730000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/696-9-0x0000000006E20000-0x0000000006E3A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/696-10-0x0000000009B30000-0x0000000009B36000-memory.dmp
            Filesize

            24KB

            Download
          • memory/696-11-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
            Filesize

            4KB

            Download
          • memory/696-12-0x0000000074F80000-0x0000000075730000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/696-1-0x0000000000860000-0x00000000008E4000-memory.dmp
            Filesize

            528KB

            Download
          • memory/696-3-0x00000000058D0000-0x0000000005962000-memory.dmp
            Filesize

            584KB

            Download
          • memory/696-15-0x0000000074F80000-0x0000000075730000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/3712-16-0x0000000074F80000-0x0000000075730000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/3712-18-0x00000000053D0000-0x0000000005436000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3712-17-0x0000000074F80000-0x0000000075730000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/3712-168-0x0000000074F80000-0x0000000075730000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/3712-173-0x0000000006110000-0x000000000611A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/3712-180-0x0000000006480000-0x0000000006492000-memory.dmp
            Filesize

            72KB

            Download
          • memory/3712-179-0x0000000074F80000-0x0000000075730000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/3712-13-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download
          • memory/3712-203-0x0000000074F80000-0x0000000075730000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/3712-204-0x0000000074F80000-0x0000000075730000-memory.dmp
            Filesize

            7.7MB

            Download