asyncrat | 9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc | Triage

Submit
Reports

Overview

overview

Static

static

3

9085e63271...bc.exe

windows7-x64

8

9085e63271...bc.exe

windows10-2004-x64

Sharing

General

Target

9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc.exe
Size

14.4MB
Sample

240707-bll9nazaqm
MD5

1082572a44d4c41214a3c38dcd8289f9
SHA1

d1e83fbdc0bfaa92334eb043e3f37bbe1104cd68
SHA256

9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
SHA512

364bea1a64fa1b0248692ac6239a10f4a38d52a93dcc71502220804061a3c0a2e6d4e0dce45a563e372829998c9cf3a2f44a6c047ec830e9a26eef3510b014d2
SSDEEP

393216:iXMxStQvFIeTiQvMipcK5x00D1lR/ggb/Dt:oXU1TzvMInx0QV/D

Score

10^/10

asyncrat stormkitty default persistence rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc.exe

Resource

win7-20240508-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc.exe

Resource

win10v2004-20240704-en

asyncrat stormkitty default persistence rat spyware stealer

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc.exe
- Size
  
  14.4MB
- MD5
  
  1082572a44d4c41214a3c38dcd8289f9
- SHA1
  
  d1e83fbdc0bfaa92334eb043e3f37bbe1104cd68
- SHA256
  
  9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
- SHA512
  
  364bea1a64fa1b0248692ac6239a10f4a38d52a93dcc71502220804061a3c0a2e6d4e0dce45a563e372829998c9cf3a2f44a6c047ec830e9a26eef3510b014d2
- SSDEEP
  
  393216:iXMxStQvFIeTiQvMipcK5x00D1lR/ggb/Dt:oXU1TzvMInx0QV/D
Score

10^/10

persistence asyncrat stormkitty default rat spyware stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Async RAT payload
  rat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

asyncratstormkittydefaultpersistenceratspywarestealer

© 2018-2024

Terms | Privacy