asyncrat | 7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce

Analysis

max time kernel
139s
max time network
180s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/06/2023, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Ehhbsuuemv.exe
Size

68.4MB
MD5

368dc6c24db6c1550ce757c0ffbdd9a0
SHA1

89bf95d951ac065bdfd8a323b1ecb70355bbab20
SHA256

9f3d5e17974ea77849869573fcca4be15d641ea937fc23fceb2808c59612b641
SHA512

78c94132c3f426930bcc80fc8dab760f3ecedcb6747150ba72319a23adedfda7c7cdc494122899cca914b7a1daa859f2a9c54c9bacf5b2e9c2f5519275fb2211
SSDEEP

1572864:iEmgHZAuBtRvd59Tdd6ok1vPtBQmjbPV4dDO4oJV36euF3SGzcqj0:zFHZAytD5xdd6FNPtBQeCdDO4oW/P4

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

45.137.65.94:4449

Mutex

saiarsvkhzxxjyqd

Attributes

delay
1
install
true
install_file
Google Update.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 9 IoCs

rat

resource	yara_rule
behavioral3/files/0x000a0000000122e4-61.dat	asyncrat
behavioral3/files/0x000a0000000122e4-63.dat	asyncrat
behavioral3/files/0x000a0000000122e4-64.dat	asyncrat
behavioral3/memory/700-65-0x0000000000360000-0x0000000000378000-memory.dmp	asyncrat
behavioral3/files/0x0007000000013a41-89.dat	asyncrat
behavioral3/files/0x0007000000013a41-90.dat	asyncrat
behavioral3/files/0x0007000000013a41-91.dat	asyncrat
behavioral3/memory/1656-92-0x0000000001100000-0x0000000001118000-memory.dmp	asyncrat
behavioral3/memory/1656-93-0x000000001A910000-0x000000001A990000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

pid	Process
700	Mtuyzzclient6.exe
1656	Google Update.exe

Loads dropped DLL 1 IoCs

pid	Process
1980	Ehhbsuuemv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 1092	1980	Ehhbsuuemv.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
432	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1988	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1980	Ehhbsuuemv.exe
700	Mtuyzzclient6.exe
1656	Google Update.exe
1656	Google Update.exe
1656	Google Update.exe
1656	Google Update.exe
1656	Google Update.exe
1656	Google Update.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	Ehhbsuuemv.exe
Token: SeDebugPrivilege	1092	InstallUtil.exe
Token: SeDebugPrivilege	700	Mtuyzzclient6.exe
Token: SeDebugPrivilege	1656	Google Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1656	Google Update.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 700	1980	Ehhbsuuemv.exe	28
PID 1980 wrote to memory of 700	1980	Ehhbsuuemv.exe	28
PID 1980 wrote to memory of 700	1980	Ehhbsuuemv.exe	28
PID 1980 wrote to memory of 700	1980	Ehhbsuuemv.exe	28
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 1980 wrote to memory of 1092	1980	Ehhbsuuemv.exe	29
PID 700 wrote to memory of 1224	700	Mtuyzzclient6.exe	30
PID 700 wrote to memory of 1224	700	Mtuyzzclient6.exe	30
PID 700 wrote to memory of 1224	700	Mtuyzzclient6.exe	30
PID 700 wrote to memory of 604	700	Mtuyzzclient6.exe	31
PID 700 wrote to memory of 604	700	Mtuyzzclient6.exe	31
PID 700 wrote to memory of 604	700	Mtuyzzclient6.exe	31
PID 1224 wrote to memory of 432	1224	cmd.exe	34
PID 1224 wrote to memory of 432	1224	cmd.exe	34
PID 1224 wrote to memory of 432	1224	cmd.exe	34
PID 604 wrote to memory of 1988	604	cmd.exe	35
PID 604 wrote to memory of 1988	604	cmd.exe	35
PID 604 wrote to memory of 1988	604	cmd.exe	35
PID 604 wrote to memory of 1656	604	cmd.exe	36
PID 604 wrote to memory of 1656	604	cmd.exe	36
PID 604 wrote to memory of 1656	604	cmd.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe
"C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe
  "C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'
      4⤵
      Creates scheduled task(s)
      PID:432
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD1B2.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1988
  - - C:\Users\Admin\AppData\Roaming\Google Update.exe
      "C:\Users\Admin\AppData\Roaming\Google Update.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1B2.tmp.bat

Filesize
157B

MD5
b743266ae43bd7325653f6a4322df9e8

SHA1
42a4724032d0c4602ad5cb80adab1f8cb2f7d050

SHA256
bc8341e85038f547c3e49baff68a8eac31e1226780d43d61e82596df6d24801b

SHA512
55699b0394969a1e33e86ff7796d8fd3bcbb7b0b1209a0b5777caf7ed0dc52720613ddbe5be023d7150a13d3e848b91b14a75b4ee933ee37e071414b859f7af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1B2.tmp.bat

Filesize
157B

MD5
b743266ae43bd7325653f6a4322df9e8

SHA1
42a4724032d0c4602ad5cb80adab1f8cb2f7d050

SHA256
bc8341e85038f547c3e49baff68a8eac31e1226780d43d61e82596df6d24801b

SHA512
55699b0394969a1e33e86ff7796d8fd3bcbb7b0b1209a0b5777caf7ed0dc52720613ddbe5be023d7150a13d3e848b91b14a75b4ee933ee37e071414b859f7af8

Download Submit
C:\Users\Admin\AppData\Roaming\Google Update.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Roaming\Google Update.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Roaming\Google Update.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
memory/700-65-0x0000000000360000-0x0000000000378000-memory.dmp

Filesize
96KB

Download
memory/700-79-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download
memory/1092-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1092-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1092-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1092-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1092-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1092-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1092-78-0x0000000001230000-0x0000000001270000-memory.dmp

Filesize
256KB

Download
memory/1092-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1092-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1656-92-0x0000000001100000-0x0000000001118000-memory.dmp

Filesize
96KB

Download
memory/1656-94-0x000000001A910000-0x000000001A990000-memory.dmp

Filesize
512KB

Download
memory/1656-93-0x000000001A910000-0x000000001A990000-memory.dmp

Filesize
512KB

Download
memory/1980-55-0x00000000091D0000-0x0000000009210000-memory.dmp

Filesize
256KB

Download
memory/1980-57-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/1980-56-0x00000000095A0000-0x00000000096AA000-memory.dmp

Filesize
1.0MB

Download
memory/1980-54-0x00000000013B0000-0x0000000005814000-memory.dmp

Filesize
68.4MB

Download
memory/1980-58-0x0000000000B50000-0x0000000000BE2000-memory.dmp

Filesize
584KB

Download