asyncrat | 7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce

Analysis

max time kernel
131s
max time network
158s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/11/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ehhbsuuemv.exe
Size

68.4MB
MD5

368dc6c24db6c1550ce757c0ffbdd9a0
SHA1

89bf95d951ac065bdfd8a323b1ecb70355bbab20
SHA256

9f3d5e17974ea77849869573fcca4be15d641ea937fc23fceb2808c59612b641
SHA512

78c94132c3f426930bcc80fc8dab760f3ecedcb6747150ba72319a23adedfda7c7cdc494122899cca914b7a1daa859f2a9c54c9bacf5b2e9c2f5519275fb2211
SSDEEP

1572864:iEmgHZAuBtRvd59Tdd6ok1vPtBQmjbPV4dDO4oJV36euF3SGzcqj0:zFHZAytD5xdd6FNPtBQeCdDO4oW/P4

Score

10^/10

asyncrat venomrat zgrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

45.137.65.94:4449

Mutex

saiarsvkhzxxjyqd

Attributes

delay
1
install
true
install_file
Google Update.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral1/memory/2720-3-0x0000000009680000-0x000000000978A000-memory.dmp	family_zgrat_v2

VenomRAT 3 IoCs

Detects VenomRAT - JaffaCakes118.

rat

resource	yara_rule
behavioral1/files/0x000500000001a4ef-10.dat	VenomRAT
behavioral1/memory/2708-13-0x0000000000290000-0x00000000002A8000-memory.dmp	VenomRAT
behavioral1/memory/284-57-0x00000000008C0000-0x00000000008D8000-memory.dmp	VenomRAT

Venomrat family
venomrat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zgrat family
zgrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000500000001a4ef-10.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
2708	Mtuyzzclient6.exe
284	Google Update.exe
2644	Google Update.exe

Loads dropped DLL 2 IoCs

pid	Process
2720	Ehhbsuuemv.exe
1496	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 2844	2720	Ehhbsuuemv.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehhbsuuemv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1904	timeout.exe
2480	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2952	schtasks.exe
2368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2720	Ehhbsuuemv.exe
2844	InstallUtil.exe
2844	InstallUtil.exe
2844	InstallUtil.exe
2708	Mtuyzzclient6.exe
2708	Mtuyzzclient6.exe
2708	Mtuyzzclient6.exe
284	Google Update.exe
284	Google Update.exe
284	Google Update.exe
284	Google Update.exe
284	Google Update.exe
284	Google Update.exe
284	Google Update.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	Ehhbsuuemv.exe
Token: SeDebugPrivilege	2844	InstallUtil.exe
Token: SeDebugPrivilege	2708	Mtuyzzclient6.exe
Token: SeDebugPrivilege	284	Google Update.exe
Token: SeDebugPrivilege	2644	Google Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
284	Google Update.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2708	2720	Ehhbsuuemv.exe	30
PID 2720 wrote to memory of 2708	2720	Ehhbsuuemv.exe	30
PID 2720 wrote to memory of 2708	2720	Ehhbsuuemv.exe	30
PID 2720 wrote to memory of 2708	2720	Ehhbsuuemv.exe	30
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2720 wrote to memory of 2844	2720	Ehhbsuuemv.exe	31
PID 2844 wrote to memory of 3052	2844	InstallUtil.exe	32
PID 2844 wrote to memory of 3052	2844	InstallUtil.exe	32
PID 2844 wrote to memory of 3052	2844	InstallUtil.exe	32
PID 2844 wrote to memory of 3052	2844	InstallUtil.exe	32
PID 2844 wrote to memory of 1496	2844	InstallUtil.exe	33
PID 2844 wrote to memory of 1496	2844	InstallUtil.exe	33
PID 2844 wrote to memory of 1496	2844	InstallUtil.exe	33
PID 2844 wrote to memory of 1496	2844	InstallUtil.exe	33
PID 3052 wrote to memory of 2952	3052	cmd.exe	36
PID 3052 wrote to memory of 2952	3052	cmd.exe	36
PID 3052 wrote to memory of 2952	3052	cmd.exe	36
PID 3052 wrote to memory of 2952	3052	cmd.exe	36
PID 1496 wrote to memory of 1904	1496	cmd.exe	37
PID 1496 wrote to memory of 1904	1496	cmd.exe	37
PID 1496 wrote to memory of 1904	1496	cmd.exe	37
PID 1496 wrote to memory of 1904	1496	cmd.exe	37
PID 2708 wrote to memory of 2272	2708	Mtuyzzclient6.exe	38
PID 2708 wrote to memory of 2272	2708	Mtuyzzclient6.exe	38
PID 2708 wrote to memory of 2272	2708	Mtuyzzclient6.exe	38
PID 2272 wrote to memory of 2368	2272	cmd.exe	40
PID 2272 wrote to memory of 2368	2272	cmd.exe	40
PID 2272 wrote to memory of 2368	2272	cmd.exe	40
PID 2708 wrote to memory of 640	2708	Mtuyzzclient6.exe	41
PID 2708 wrote to memory of 640	2708	Mtuyzzclient6.exe	41
PID 2708 wrote to memory of 640	2708	Mtuyzzclient6.exe	41
PID 640 wrote to memory of 2480	640	cmd.exe	43
PID 640 wrote to memory of 2480	640	cmd.exe	43
PID 640 wrote to memory of 2480	640	cmd.exe	43
PID 1496 wrote to memory of 284	1496	cmd.exe	44
PID 1496 wrote to memory of 284	1496	cmd.exe	44
PID 1496 wrote to memory of 284	1496	cmd.exe	44
PID 1496 wrote to memory of 284	1496	cmd.exe	44
PID 640 wrote to memory of 2644	640	cmd.exe	45
PID 640 wrote to memory of 2644	640	cmd.exe	45
PID 640 wrote to memory of 2644	640	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe
"C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe
  "C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2368
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp819E.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2480
  - - C:\Users\Admin\AppData\Roaming\Google Update.exe
      "C:\Users\Admin\AppData\Roaming\Google Update.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B57.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1904
  - - C:\Users\Admin\AppData\Roaming\Google Update.exe
      "C:\Users\Admin\AppData\Roaming\Google Update.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B57.tmp.bat

Filesize
157B

MD5
10313b055491c488dced60caddafb571

SHA1
3fe476c1cdc9036bc99f35123badd79d6941ab45

SHA256
9b9e4730d0a8bba065f533a0ebd4d6d062fcbfc9690bb8901ec45bfc4c75c352

SHA512
00d6a7b1a7bce457354357662071d08e10afb56094a574ba65f62ca0a3acafe7c77b80c9a4720ab135d5245bcebdaaa217cb81418dd111a8a875c30f76c67f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp819E.tmp.bat

Filesize
157B

MD5
168931cc13b197f0babad9cb74bdc699

SHA1
cf945a0e69e6b782bceff0d5f295b1e43f246230

SHA256
447afe31bbd185a63d794c73b0c81c25eacfd297ca454a1a956c61e39e9ad16a

SHA512
23df1fff1e7e0611c72614021f86ce284d8e457af855f60d2edf21cecb95fc0526aa241c1b6126c75536829bc68b29fb26704211f089cf32753047d142a5e985

Download Submit
C:\Users\Admin\AppData\Roaming\Google Update.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/284-57-0x00000000008C0000-0x00000000008D8000-memory.dmp

Filesize
96KB

Download
memory/2708-52-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-12-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

Filesize
4KB

Download
memory/2708-13-0x0000000000290000-0x00000000002A8000-memory.dmp

Filesize
96KB

Download
memory/2708-32-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-31-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-0-0x0000000073EDE000-0x0000000073EDF000-memory.dmp

Filesize
4KB

Download
memory/2720-1-0x0000000000A40000-0x0000000004EA4000-memory.dmp

Filesize
68.4MB

Download
memory/2720-2-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-3-0x0000000009680000-0x000000000978A000-memory.dmp

Filesize
1.0MB

Download
memory/2720-4-0x0000000000590000-0x00000000005B8000-memory.dmp

Filesize
160KB

Download
memory/2720-5-0x0000000008860000-0x00000000088F2000-memory.dmp

Filesize
584KB

Download
memory/2844-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download