asyncrat | 0613d9d0dda0d03efe4dd9876834c8234b54b7d2f406fe8dcc66e799eeb5a640

General

Target

Hackus.exe
Size

3.1MB
MD5

70787feaf9b8720abbd483c657d7a1b0
SHA1

9ce52f7b5ff2b4dadbe12694391b76d3a82d121c
SHA256

0613d9d0dda0d03efe4dd9876834c8234b54b7d2f406fe8dcc66e799eeb5a640
SHA512

9c105e63b5c12f94b80d0668fec63736fad97a13cc49fed6c7715715d4519f38d558fbde431b73153ef226aeb6e211ad1a8e9cc5c69b8fdec31214005c612d36
SSDEEP

49152:kGlP3G5KT6W0/KJQdqsF5JcJ+l2VbvbUGH8wb6i:kb4T6LEsBlM+lQ3B

Score

10^/10

asyncrat stormkitty default discovery rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot8038687818:AAF7yfWLNIj0GslX51tOIFXZ_75cuFnZ9oc/sendMessage?chat_id=6378570062

https://api.telegram.org/bot7289188591:AAFXBqcWy9p_LgUKTwd-Pcl7lvzedUGWL1E/sendMessage?chat_id=8079461533

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c78-4.dat	family_stormkitty
behavioral2/files/0x0007000000023c84-20.dat	family_stormkitty
behavioral2/memory/3764-23-0x0000000000300000-0x0000000000340000-memory.dmp	family_stormkitty
behavioral2/memory/4992-24-0x0000000000070000-0x00000000000B0000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023c78-4.dat	family_asyncrat
behavioral2/files/0x0007000000023c84-20.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Hackus.exe

Executes dropped EXE 1 IoCs

pid	Process
4992	LOADER.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hackus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HACKUS.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 4320	3108	Hackus.exe	84
PID 3108 wrote to memory of 4320	3108	Hackus.exe	84
PID 3108 wrote to memory of 4320	3108	Hackus.exe	84
PID 3108 wrote to memory of 4992	3108	Hackus.exe	85
PID 3108 wrote to memory of 4992	3108	Hackus.exe	85
PID 3108 wrote to memory of 4992	3108	Hackus.exe	85

C:\Users\Admin\AppData\Local\Temp\Hackus.exe
"C:\Users\Admin\AppData\Local\Temp\Hackus.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
  "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
    "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
    3⤵
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
      "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
      4⤵
      PID:4500
    - - C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        5⤵
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        6⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        7⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        8⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        9⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        10⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        11⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        12⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        13⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        14⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        15⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        16⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        17⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        18⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        19⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        20⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        21⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        22⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        23⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        24⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        25⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        26⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        26⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        26⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        25⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        25⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        24⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        24⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        23⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        23⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        22⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        22⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        21⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        21⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        20⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        20⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        19⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        19⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        18⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        18⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        17⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        17⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        16⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        16⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        15⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        15⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        14⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        14⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        13⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        13⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        12⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        12⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        11⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        11⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        10⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        10⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        9⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        9⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        8⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        8⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        7⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        7⤵
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        6⤵
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        6⤵
        
        PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        5⤵
        
        PID:552
    - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        5⤵
        
        PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
      "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
      4⤵
      PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
      "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
      4⤵
      PID:4404
- - C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
    "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
    3⤵
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
    "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
    3⤵
    PID:4356
- C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
  "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
  "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
  2⤵
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9fbf229ec67280cb3c9c4255ccb1dfb1\Admin@YLFOGIOE_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOADER.EXE

Filesize
232KB

MD5
905d8f8b1d16ce5c63f6a806e1efeb98

SHA1
75c8c39c0bb5e48f53f1585a9cefa03a997dc680

SHA256
78dcc1bbf29a5d6e5cb57506f273d41e8629232bc733bb4126955f40f60f63f4

SHA512
f0c00f773909bc0b04e638196f902f314d75000e04ed7bc72b3d9b35c4278de3f18d7e02aaf85e70207860aa3d920d167c62e14bbdf9289481bcf516ebf87a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

Filesize
232KB

MD5
ea10b6fdbb466c9e2bc1602efa14e4be

SHA1
f9144cda448d4cf8ff47ac9cdb56ed262c5f9de3

SHA256
e574a3494f4b760d028ccb7c8c73d6997aa7fd422104fa9b56c9ab3ddb695b2b

SHA512
81e076141d108f914008b29e2f7b350e832c1e1edb44d778a8150b8011c78452d29c1c563faf3da201cc8a91e61ac2b5bad7298be3ba36659a24298df4149fe9

Download Submit
memory/1348-68-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/1348-67-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/3764-22-0x0000000073DCE000-0x0000000073DCF000-memory.dmp

Filesize
4KB

Download
memory/3764-23-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/3764-28-0x00000000052D0000-0x0000000005336000-memory.dmp

Filesize
408KB

Download
memory/3764-71-0x0000000073DCE000-0x0000000073DCF000-memory.dmp

Filesize
4KB

Download
memory/4992-24-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/4992-26-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download
memory/4992-72-0x0000000073DC0000-0x0000000074570000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing