asyncrat | 7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce

Analysis

max time kernel
150s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2023, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Ehhbsuuemv.exe
Size

68.4MB
MD5

368dc6c24db6c1550ce757c0ffbdd9a0
SHA1

89bf95d951ac065bdfd8a323b1ecb70355bbab20
SHA256

9f3d5e17974ea77849869573fcca4be15d641ea937fc23fceb2808c59612b641
SHA512

78c94132c3f426930bcc80fc8dab760f3ecedcb6747150ba72319a23adedfda7c7cdc494122899cca914b7a1daa859f2a9c54c9bacf5b2e9c2f5519275fb2211
SSDEEP

1572864:iEmgHZAuBtRvd59Tdd6ok1vPtBQmjbPV4dDO4oJV36euF3SGzcqj0:zFHZAytD5xdd6FNPtBQeCdDO4oW/P4

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

45.137.65.94:4449

Mutex

saiarsvkhzxxjyqd

Attributes

delay
1
install
true
install_file
Google Update.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral4/files/0x0001000000023127-143.dat	asyncrat
behavioral4/files/0x0001000000023127-148.dat	asyncrat
behavioral4/files/0x0001000000023127-149.dat	asyncrat
behavioral4/memory/2500-150-0x00000000007D0000-0x00000000007E8000-memory.dmp	asyncrat
behavioral4/files/0x000100000002312b-162.dat	asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Ehhbsuuemv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Mtuyzzclient6.exe

Executes dropped EXE 3 IoCs

pid	Process
2500	Mtuyzzclient6.exe
3456	Google Update.exe
2900	Google Update.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 3788	1368	Ehhbsuuemv.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4944	schtasks.exe
4764	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2416	timeout.exe
2588	timeout.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1368	Ehhbsuuemv.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
2500	Mtuyzzclient6.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe
3788	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	Ehhbsuuemv.exe
Token: SeDebugPrivilege	2500	Mtuyzzclient6.exe
Token: SeDebugPrivilege	3788	InstallUtil.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2500	1368	Ehhbsuuemv.exe	85
PID 1368 wrote to memory of 2500	1368	Ehhbsuuemv.exe	85
PID 1368 wrote to memory of 3788	1368	Ehhbsuuemv.exe	86
PID 1368 wrote to memory of 3788	1368	Ehhbsuuemv.exe	86
PID 1368 wrote to memory of 3788	1368	Ehhbsuuemv.exe	86
PID 1368 wrote to memory of 3788	1368	Ehhbsuuemv.exe	86
PID 1368 wrote to memory of 3788	1368	Ehhbsuuemv.exe	86
PID 1368 wrote to memory of 3788	1368	Ehhbsuuemv.exe	86
PID 1368 wrote to memory of 3788	1368	Ehhbsuuemv.exe	86
PID 1368 wrote to memory of 3788	1368	Ehhbsuuemv.exe	86
PID 2500 wrote to memory of 4240	2500	Mtuyzzclient6.exe	88
PID 2500 wrote to memory of 4240	2500	Mtuyzzclient6.exe	88
PID 2500 wrote to memory of 1516	2500	Mtuyzzclient6.exe	90
PID 2500 wrote to memory of 1516	2500	Mtuyzzclient6.exe	90
PID 4240 wrote to memory of 4944	4240	cmd.exe	92
PID 4240 wrote to memory of 4944	4240	cmd.exe	92
PID 1516 wrote to memory of 2416	1516	cmd.exe	93
PID 1516 wrote to memory of 2416	1516	cmd.exe	93
PID 3788 wrote to memory of 4048	3788	InstallUtil.exe	94
PID 3788 wrote to memory of 4048	3788	InstallUtil.exe	94
PID 3788 wrote to memory of 4048	3788	InstallUtil.exe	94
PID 4048 wrote to memory of 4764	4048	cmd.exe	96
PID 4048 wrote to memory of 4764	4048	cmd.exe	96
PID 4048 wrote to memory of 4764	4048	cmd.exe	96
PID 3788 wrote to memory of 2800	3788	InstallUtil.exe	99
PID 3788 wrote to memory of 2800	3788	InstallUtil.exe	99
PID 3788 wrote to memory of 2800	3788	InstallUtil.exe	99
PID 2800 wrote to memory of 2588	2800	cmd.exe	101
PID 2800 wrote to memory of 2588	2800	cmd.exe	101
PID 2800 wrote to memory of 2588	2800	cmd.exe	101
PID 1516 wrote to memory of 3456	1516	cmd.exe	102
PID 1516 wrote to memory of 3456	1516	cmd.exe	102
PID 1516 wrote to memory of 3456	1516	cmd.exe	102
PID 2800 wrote to memory of 2900	2800	cmd.exe	104
PID 2800 wrote to memory of 2900	2800	cmd.exe	104
PID 2800 wrote to memory of 2900	2800	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe
"C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe
  "C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'
      4⤵
      Creates scheduled task(s)
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp50DF.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2416
  - - C:\Users\Admin\AppData\Roaming\Google Update.exe
      "C:\Users\Admin\AppData\Roaming\Google Update.exe"
      4⤵
      Executes dropped EXE
      PID:3456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'
      4⤵
      Creates scheduled task(s)
      PID:4764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp591C.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2588
  - - C:\Users\Admin\AppData\Roaming\Google Update.exe
      "C:\Users\Admin\AppData\Roaming\Google Update.exe"
      4⤵
      Executes dropped EXE
      PID:2900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Google Update.exe.log

Filesize
950B

MD5
f7a49804289daba7de5b3b77408276f7

SHA1
43dc40ddb1d6e081d52671a56ecefbcb4545e32c

SHA256
6b79cf98a0976e2e43f4e9fae56b57910360503435ff027b87e481d5c3b68892

SHA512
4e0dd3d97bb9cab135c649fac821c9664cad91f4e22fa883b426e20620affce41878981c7f20a3d859027a890304886c186e463ea0df17a184562ee6a1e48d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50DF.tmp.bat

Filesize
157B

MD5
b37c4c200d366c45a99f5f9531c83aa9

SHA1
8e5e6adcf74072011e16563432e4e85eb7a62fa3

SHA256
318cf810397c75ed725eaf3958379f133716a9c1b2edccb6e71fac94e5b247a7

SHA512
3a670c36fd413f087ffef570ec1b1fda692b0b6e4078e215d390bb74cfedf682ec5fe0daedd92d147a5b9f5a5e98053c8172069fe41d5b2f4becc95a55201c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp591C.tmp.bat

Filesize
157B

MD5
ce9c03ad56e218da7a10010e0627179b

SHA1
8ab64ef510e24774d021674cd7d8054e6dc6afd4

SHA256
f916fac128e88f9ccc084aef32fd625165b6b5c2713b9b3407ad3746d61b8f4c

SHA512
73bd7371417bd509fc51fcd1a91c305a2f43c0c5faeafdfbfe12f4ad66eebf34aeb744c6f8365c1602b1c4b0ecde8943a3c060483986d9226e7f3fc8cd0b0724

Download Submit
C:\Users\Admin\AppData\Roaming\Google Update.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Roaming\Google Update.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Roaming\Google Update.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Roaming\Google Update.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/1368-138-0x000000000B9D0000-0x000000000B9F2000-memory.dmp

Filesize
136KB

Download
memory/1368-133-0x0000000000FA0000-0x0000000005404000-memory.dmp

Filesize
68.4MB

Download
memory/1368-137-0x0000000009D90000-0x0000000009DA0000-memory.dmp

Filesize
64KB

Download
memory/1368-136-0x0000000009E70000-0x0000000009E7A000-memory.dmp

Filesize
40KB

Download
memory/1368-135-0x0000000009DD0000-0x0000000009E62000-memory.dmp

Filesize
584KB

Download
memory/1368-134-0x000000000A2E0000-0x000000000A884000-memory.dmp

Filesize
5.6MB

Download
memory/2500-156-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/2500-150-0x00000000007D0000-0x00000000007E8000-memory.dmp

Filesize
96KB

Download
memory/3456-171-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/3456-172-0x00000000010B0000-0x00000000010CA000-memory.dmp

Filesize
104KB

Download
memory/3788-155-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/3788-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download