asyncrat | 2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d

General

Target

CHERRY.exe
Size

48KB
MD5

820bd630f443e32a6ead06212ff6e95e
SHA1

9278a11d7bc5bc3b07d564a29f6d520bf10dc744
SHA256

2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d
SHA512

cf2ff4dd6de9fbe4c159d72942d2b427c245d84dc60b268d0a8705c86922a7cb33ab53ba7aa4c0011f4b63c356b1dbfe194ef205392e9c9053bd7b1d6aea2f9a

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

jamesalex13-32442.portmap.host:32442

Mutex

AsyncMutex_2VI8tgPik

Attributes

aes_key
LH6rs7V8nICHHwjuleXZSNJw5t2MZnAG
anti_detection
true
autorun
true
bdos
true
delay
Default
host
jamesalex13-32442.portmap.host
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_2VI8tgPik
pastebin_config
null
port
32442
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\HWMonitor.exe	asyncrat
C:\Users\Admin\AppData\Roaming\HWMonitor.exe	asyncrat
C:\Users\Admin\AppData\Roaming\HWMonitor.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

HWMonitor.exe

pid process

1760 HWMonitor.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1160 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

548 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

748 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

CHERRY.exe

pid process

1852 CHERRY.exe
1852 CHERRY.exe
1852 CHERRY.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

CHERRY.exeHWMonitor.exe

description pid process

Token: SeDebugPrivilege 1852 CHERRY.exe
Token: SeDebugPrivilege 1760 HWMonitor.exe
Token: SeDebugPrivilege 1760 HWMonitor.exe

pid	process
1760	HWMonitor.exe

pid	process
1160	cmd.exe

pid	process
548	schtasks.exe

pid	process
748	timeout.exe

pid	process
1852	CHERRY.exe
1852	CHERRY.exe
1852	CHERRY.exe

description	pid	process
Token: SeDebugPrivilege	1852	CHERRY.exe
Token: SeDebugPrivilege	1760	HWMonitor.exe
Token: SeDebugPrivilege	1760	HWMonitor.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

CHERRY.execmd.execmd.exe

description	pid	process	target process
PID 1852 wrote to memory of 388	1852	CHERRY.exe	cmd.exe
PID 1852 wrote to memory of 388	1852	CHERRY.exe	cmd.exe
PID 1852 wrote to memory of 388	1852	CHERRY.exe	cmd.exe
PID 1852 wrote to memory of 388	1852	CHERRY.exe	cmd.exe
PID 1852 wrote to memory of 1160	1852	CHERRY.exe	cmd.exe
PID 1852 wrote to memory of 1160	1852	CHERRY.exe	cmd.exe
PID 1852 wrote to memory of 1160	1852	CHERRY.exe	cmd.exe
PID 1852 wrote to memory of 1160	1852	CHERRY.exe	cmd.exe
PID 388 wrote to memory of 548	388	cmd.exe	schtasks.exe
PID 388 wrote to memory of 548	388	cmd.exe	schtasks.exe
PID 388 wrote to memory of 548	388	cmd.exe	schtasks.exe
PID 388 wrote to memory of 548	388	cmd.exe	schtasks.exe
PID 1160 wrote to memory of 748	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 748	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 748	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 748	1160	cmd.exe	timeout.exe
PID 1160 wrote to memory of 1760	1160	cmd.exe	HWMonitor.exe
PID 1160 wrote to memory of 1760	1160	cmd.exe	HWMonitor.exe
PID 1160 wrote to memory of 1760	1160	cmd.exe	HWMonitor.exe
PID 1160 wrote to memory of 1760	1160	cmd.exe	HWMonitor.exe

C:\Users\Admin\AppData\Local\Temp\CHERRY.exe
"C:\Users\Admin\AppData\Local\Temp\CHERRY.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "HWMonitor" /tr '"C:\Users\Admin\AppData\Roaming\HWMonitor.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "HWMonitor" /tr '"C:\Users\Admin\AppData\Roaming\HWMonitor.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp41A2.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:748
- - C:\Users\Admin\AppData\Roaming\HWMonitor.exe
    "C:\Users\Admin\AppData\Roaming\HWMonitor.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp41A2.tmp.bat

MD5
3bc4ac36d60775b4db8682368cd97743

SHA1
3eda5783762d9057970c3a120b2378ec1659ce13

SHA256
1c2142e884f02a8d6b354458bbf1ba35921ffd3aae5cfb19e933fba6886a7afc

SHA512
d1b686a556896d56553a49b80579835442d9d11a39c02d33d43eff5fa4183b39298c4403c5262be257bf30f071dbe54b5bed92256b72c14f7f481f35e1430fb8

Download Submit
C:\Users\Admin\AppData\Roaming\HWMonitor.exe

MD5
820bd630f443e32a6ead06212ff6e95e

SHA1
9278a11d7bc5bc3b07d564a29f6d520bf10dc744

SHA256
2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d

SHA512
cf2ff4dd6de9fbe4c159d72942d2b427c245d84dc60b268d0a8705c86922a7cb33ab53ba7aa4c0011f4b63c356b1dbfe194ef205392e9c9053bd7b1d6aea2f9a

Download Submit
C:\Users\Admin\AppData\Roaming\HWMonitor.exe

MD5
820bd630f443e32a6ead06212ff6e95e

SHA1
9278a11d7bc5bc3b07d564a29f6d520bf10dc744

SHA256
2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d

SHA512
cf2ff4dd6de9fbe4c159d72942d2b427c245d84dc60b268d0a8705c86922a7cb33ab53ba7aa4c0011f4b63c356b1dbfe194ef205392e9c9053bd7b1d6aea2f9a

Download Submit
\Users\Admin\AppData\Roaming\HWMonitor.exe

MD5
820bd630f443e32a6ead06212ff6e95e

SHA1
9278a11d7bc5bc3b07d564a29f6d520bf10dc744

SHA256
2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d

SHA512
cf2ff4dd6de9fbe4c159d72942d2b427c245d84dc60b268d0a8705c86922a7cb33ab53ba7aa4c0011f4b63c356b1dbfe194ef205392e9c9053bd7b1d6aea2f9a

Download Submit
memory/388-7-0x0000000000000000-mapping.dmp

Download
memory/548-9-0x0000000000000000-mapping.dmp

Download
memory/748-11-0x0000000000000000-mapping.dmp

Download
memory/1160-8-0x0000000000000000-mapping.dmp

Download
memory/1760-14-0x0000000000000000-mapping.dmp

Download
memory/1760-16-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1760-17-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1760-20-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/1852-2-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/1852-6-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1852-5-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1852-3-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads