asyncrat | 53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745

General

Target

53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe
Size

52KB
MD5

c3f34df135ab3ba4b0c8408a3fe041f8
SHA1

a26cc4fc291830ce9f4b5726fb196a3893c38dcb
SHA256

53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745
SHA512

2a6cb888d4bc6e5a234b2692f80d0389739f2c4994e2a5e705ca9ab57ee9e05292b4d9fa7a29309ca2859cfe8b596fb0720d42505050615206b1e048bb81a9a1
SSDEEP

1536:ouUDVT0d5262POAgB8CRbHUdlaacfKodd5N:ouUBT0d527OAgBZbHUaacDN

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

91.92.241.69:5555

Mutex

WZl6sjIAcmXI

Attributes

delay
3
install
true
install_file
AMD Update Manager.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\AMD Update Manager.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

AMD Update Manager.exe

pid process

2908 AMD Update Manager.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2092 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2296 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2256 timeout.exe

pid	process
2908	AMD Update Manager.exe

pid	process
2092	cmd.exe

pid	process
2296	schtasks.exe

pid	process
2256	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe

pid	process
824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe
824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exeAMD Update Manager.exe

description	pid	process
Token: SeDebugPrivilege	824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe
Token: SeDebugPrivilege	2908	AMD Update Manager.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.execmd.execmd.exe

description	pid	process	target process
PID 824 wrote to memory of 2172	824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe	cmd.exe
PID 824 wrote to memory of 2172	824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe	cmd.exe
PID 824 wrote to memory of 2172	824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe	cmd.exe
PID 824 wrote to memory of 2172	824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe	cmd.exe
PID 824 wrote to memory of 2092	824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe	cmd.exe
PID 824 wrote to memory of 2092	824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe	cmd.exe
PID 824 wrote to memory of 2092	824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe	cmd.exe
PID 824 wrote to memory of 2092	824	53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe	cmd.exe
PID 2172 wrote to memory of 2296	2172	cmd.exe	schtasks.exe
PID 2172 wrote to memory of 2296	2172	cmd.exe	schtasks.exe
PID 2172 wrote to memory of 2296	2172	cmd.exe	schtasks.exe
PID 2172 wrote to memory of 2296	2172	cmd.exe	schtasks.exe
PID 2092 wrote to memory of 2256	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 2256	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 2256	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 2256	2092	cmd.exe	timeout.exe
PID 2092 wrote to memory of 2908	2092	cmd.exe	AMD Update Manager.exe
PID 2092 wrote to memory of 2908	2092	cmd.exe	AMD Update Manager.exe
PID 2092 wrote to memory of 2908	2092	cmd.exe	AMD Update Manager.exe
PID 2092 wrote to memory of 2908	2092	cmd.exe	AMD Update Manager.exe
PID 2092 wrote to memory of 2908	2092	cmd.exe	AMD Update Manager.exe
PID 2092 wrote to memory of 2908	2092	cmd.exe	AMD Update Manager.exe
PID 2092 wrote to memory of 2908	2092	cmd.exe	AMD Update Manager.exe

C:\Users\Admin\AppData\Local\Temp\53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe
"C:\Users\Admin\AppData\Local\Temp\53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AMD Update Manager" /tr '"C:\Users\Admin\AppData\Roaming\AMD Update Manager.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "AMD Update Manager" /tr '"C:\Users\Admin\AppData\Roaming\AMD Update Manager.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1CB4.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2256
- - C:\Users\Admin\AppData\Roaming\AMD Update Manager.exe
    "C:\Users\Admin\AppData\Roaming\AMD Update Manager.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1CB4.tmp.bat

Filesize
162B

MD5
cc31f20cf6b6f76d75f3b2b8409a5b2d

SHA1
55f33c7e18c7b61c2ac4ed46518c9f313ed87e37

SHA256
89168e3739ef77e4b7020437a59eeedb2628b2bc2d94a9b529dac3e7a7cac0be

SHA512
595ca6121ecf07dd60e1414d593110c6b3d87d4d5f9cffdfa6ddba7b14b73f851aa363ced0e67ec130ba0ef4cf166b85f79846ffa54cd7de54efcf2f74925100

Download Submit
\Users\Admin\AppData\Roaming\AMD Update Manager.exe

Filesize
52KB

MD5
c3f34df135ab3ba4b0c8408a3fe041f8

SHA1
a26cc4fc291830ce9f4b5726fb196a3893c38dcb

SHA256
53677ec9a71a72447531c8e81956df068800b738dae73ed46d700e01bea58745

SHA512
2a6cb888d4bc6e5a234b2692f80d0389739f2c4994e2a5e705ca9ab57ee9e05292b4d9fa7a29309ca2859cfe8b596fb0720d42505050615206b1e048bb81a9a1

Download Submit
memory/824-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/824-1-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/824-2-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/824-11-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-16-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads