asyncrat | 2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d

General

Target

CHERRY.exe
Size

48KB
MD5

820bd630f443e32a6ead06212ff6e95e
SHA1

9278a11d7bc5bc3b07d564a29f6d520bf10dc744
SHA256

2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d
SHA512

cf2ff4dd6de9fbe4c159d72942d2b427c245d84dc60b268d0a8705c86922a7cb33ab53ba7aa4c0011f4b63c356b1dbfe194ef205392e9c9053bd7b1d6aea2f9a

Score

10^/10

asyncrat rat spyware

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

jamesalex13-32442.portmap.host:32442

Mutex

AsyncMutex_2VI8tgPik

Attributes

aes_key
LH6rs7V8nICHHwjuleXZSNJw5t2MZnAG
anti_detection
true
autorun
true
bdos
true
delay
Default
host
jamesalex13-32442.portmap.host
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_2VI8tgPik
pastebin_config
null
port
32442
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\HWMonitor.exe	asyncrat
C:\Users\Admin\AppData\Roaming\HWMonitor.exe	asyncrat
behavioral2/memory/2776-24-0x0000000006F40000-0x0000000006F60000-memory.dmp	asyncrat
behavioral2/memory/2776-27-0x0000000007100000-0x000000000711B000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

HWMonitor.exe

pid process

2776 HWMonitor.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1392 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1268 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

HWMonitor.exe

pid process

2776 HWMonitor.exe

pid	process
2776	HWMonitor.exe

pid	process
1392	schtasks.exe

pid	process
1268	timeout.exe

pid	process
2776	HWMonitor.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

CHERRY.exe

pid	process
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe
3928	CHERRY.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

CHERRY.exeHWMonitor.exe

description pid process

Token: SeDebugPrivilege 3928 CHERRY.exe
Token: SeDebugPrivilege 2776 HWMonitor.exe
Token: SeDebugPrivilege 2776 HWMonitor.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

HWMonitor.exe

pid process

2776 HWMonitor.exe

description	pid	process
Token: SeDebugPrivilege	3928	CHERRY.exe
Token: SeDebugPrivilege	2776	HWMonitor.exe
Token: SeDebugPrivilege	2776	HWMonitor.exe

pid	process
2776	HWMonitor.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

CHERRY.execmd.execmd.exe

description	pid	process	target process
PID 3928 wrote to memory of 4072	3928	CHERRY.exe	cmd.exe
PID 3928 wrote to memory of 4072	3928	CHERRY.exe	cmd.exe
PID 3928 wrote to memory of 4072	3928	CHERRY.exe	cmd.exe
PID 3928 wrote to memory of 1208	3928	CHERRY.exe	cmd.exe
PID 3928 wrote to memory of 1208	3928	CHERRY.exe	cmd.exe
PID 3928 wrote to memory of 1208	3928	CHERRY.exe	cmd.exe
PID 4072 wrote to memory of 1392	4072	cmd.exe	schtasks.exe
PID 4072 wrote to memory of 1392	4072	cmd.exe	schtasks.exe
PID 4072 wrote to memory of 1392	4072	cmd.exe	schtasks.exe
PID 1208 wrote to memory of 1268	1208	cmd.exe	timeout.exe
PID 1208 wrote to memory of 1268	1208	cmd.exe	timeout.exe
PID 1208 wrote to memory of 1268	1208	cmd.exe	timeout.exe
PID 1208 wrote to memory of 2776	1208	cmd.exe	HWMonitor.exe
PID 1208 wrote to memory of 2776	1208	cmd.exe	HWMonitor.exe
PID 1208 wrote to memory of 2776	1208	cmd.exe	HWMonitor.exe

C:\Users\Admin\AppData\Local\Temp\CHERRY.exe
"C:\Users\Admin\AppData\Local\Temp\CHERRY.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "HWMonitor" /tr '"C:\Users\Admin\AppData\Roaming\HWMonitor.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "HWMonitor" /tr '"C:\Users\Admin\AppData\Roaming\HWMonitor.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D1C.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1268
- - C:\Users\Admin\AppData\Roaming\HWMonitor.exe
    "C:\Users\Admin\AppData\Roaming\HWMonitor.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4D1C.tmp.bat

MD5
54e2e38fd8bef992d03a7c90a4dc95cf

SHA1
914d2b07de3382090cd756c556c9dca9d4d97f48

SHA256
5ab6f1d132f5bbe835874966fb9805dcf1ce197c9a63ffa654c67d066a68aebf

SHA512
5e12abeb83f4edc690ae7d1fc4c1a2085edd9820a22f2bbfb7c1dae8c293365a51115d6379317d2eaf542aeb0631e7a68fdd7234b90efec0eed7bcd633c3a90c

Download Submit
C:\Users\Admin\AppData\Roaming\HWMonitor.exe

MD5
820bd630f443e32a6ead06212ff6e95e

SHA1
9278a11d7bc5bc3b07d564a29f6d520bf10dc744

SHA256
2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d

SHA512
cf2ff4dd6de9fbe4c159d72942d2b427c245d84dc60b268d0a8705c86922a7cb33ab53ba7aa4c0011f4b63c356b1dbfe194ef205392e9c9053bd7b1d6aea2f9a

Download Submit
C:\Users\Admin\AppData\Roaming\HWMonitor.exe

MD5
820bd630f443e32a6ead06212ff6e95e

SHA1
9278a11d7bc5bc3b07d564a29f6d520bf10dc744

SHA256
2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d

SHA512
cf2ff4dd6de9fbe4c159d72942d2b427c245d84dc60b268d0a8705c86922a7cb33ab53ba7aa4c0011f4b63c356b1dbfe194ef205392e9c9053bd7b1d6aea2f9a

Download Submit
memory/1208-9-0x0000000000000000-mapping.dmp

Download
memory/1268-12-0x0000000000000000-mapping.dmp

Download
memory/1392-11-0x0000000000000000-mapping.dmp

Download
memory/2776-19-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/2776-29-0x0000000006E00000-0x0000000006E79000-memory.dmp

Filesize
484KB

Download
memory/2776-34-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/2776-33-0x00000000078D0000-0x0000000007929000-memory.dmp

Filesize
356KB

Download
memory/2776-13-0x0000000000000000-mapping.dmp

Download
memory/2776-32-0x0000000007370000-0x00000000073FD000-memory.dmp

Filesize
564KB

Download
memory/2776-31-0x0000000006EE0000-0x0000000006EE4000-memory.dmp

Filesize
16KB

Download
memory/2776-16-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-30-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/2776-22-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/2776-23-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/2776-24-0x0000000006F40000-0x0000000006F60000-memory.dmp

Filesize
128KB

Download
memory/2776-25-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/2776-26-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/2776-27-0x0000000007100000-0x000000000711B000-memory.dmp

Filesize
108KB

Download
memory/2776-28-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/3928-2-0x0000000073C40000-0x000000007432E000-memory.dmp

Filesize
6.9MB

Download
memory/3928-3-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3928-5-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/3928-6-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/3928-7-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4072-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads