asyncrat | 7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce

Analysis

max time kernel
89s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ehhbsuuemv.exe
Size

68.4MB
MD5

368dc6c24db6c1550ce757c0ffbdd9a0
SHA1

89bf95d951ac065bdfd8a323b1ecb70355bbab20
SHA256

9f3d5e17974ea77849869573fcca4be15d641ea937fc23fceb2808c59612b641
SHA512

78c94132c3f426930bcc80fc8dab760f3ecedcb6747150ba72319a23adedfda7c7cdc494122899cca914b7a1daa859f2a9c54c9bacf5b2e9c2f5519275fb2211
SSDEEP

1572864:iEmgHZAuBtRvd59Tdd6ok1vPtBQmjbPV4dDO4oJV36euF3SGzcqj0:zFHZAytD5xdd6FNPtBQeCdDO4oW/P4

Score

10^/10

asyncrat venomrat zgrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

45.137.65.94:4449

Mutex

saiarsvkhzxxjyqd

Attributes

delay
1
install
true
install_file
Google Update.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral2/memory/2788-6-0x000000000A8E0000-0x000000000A9EA000-memory.dmp	family_zgrat_v2

VenomRAT 2 IoCs

Detects VenomRAT - JaffaCakes118.

rat

resource	yara_rule
behavioral2/files/0x000c000000023b8c-15.dat	VenomRAT
behavioral2/memory/624-23-0x00000000006E0000-0x00000000006F8000-memory.dmp	VenomRAT

Venomrat family
venomrat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zgrat family
zgrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023b8c-15.dat	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Ehhbsuuemv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Mtuyzzclient6.exe

Executes dropped EXE 3 IoCs

pid	Process
624	Mtuyzzclient6.exe
4524	Google Update.exe
4428	Google Update.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 4120	2788	Ehhbsuuemv.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehhbsuuemv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Update.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1920	timeout.exe
4928	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2996	schtasks.exe
4868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2788	Ehhbsuuemv.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
624	Mtuyzzclient6.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe
4120	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	Ehhbsuuemv.exe
Token: SeDebugPrivilege	624	Mtuyzzclient6.exe
Token: SeDebugPrivilege	4120	InstallUtil.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 624	2788	Ehhbsuuemv.exe	88
PID 2788 wrote to memory of 624	2788	Ehhbsuuemv.exe	88
PID 2788 wrote to memory of 4120	2788	Ehhbsuuemv.exe	89
PID 2788 wrote to memory of 4120	2788	Ehhbsuuemv.exe	89
PID 2788 wrote to memory of 4120	2788	Ehhbsuuemv.exe	89
PID 2788 wrote to memory of 4120	2788	Ehhbsuuemv.exe	89
PID 2788 wrote to memory of 4120	2788	Ehhbsuuemv.exe	89
PID 2788 wrote to memory of 4120	2788	Ehhbsuuemv.exe	89
PID 2788 wrote to memory of 4120	2788	Ehhbsuuemv.exe	89
PID 2788 wrote to memory of 4120	2788	Ehhbsuuemv.exe	89
PID 624 wrote to memory of 872	624	Mtuyzzclient6.exe	90
PID 624 wrote to memory of 872	624	Mtuyzzclient6.exe	90
PID 624 wrote to memory of 1388	624	Mtuyzzclient6.exe	91
PID 624 wrote to memory of 1388	624	Mtuyzzclient6.exe	91
PID 872 wrote to memory of 2996	872	cmd.exe	95
PID 872 wrote to memory of 2996	872	cmd.exe	95
PID 1388 wrote to memory of 1920	1388	cmd.exe	96
PID 1388 wrote to memory of 1920	1388	cmd.exe	96
PID 4120 wrote to memory of 2924	4120	InstallUtil.exe	97
PID 4120 wrote to memory of 2924	4120	InstallUtil.exe	97
PID 4120 wrote to memory of 2924	4120	InstallUtil.exe	97
PID 2924 wrote to memory of 4868	2924	cmd.exe	99
PID 2924 wrote to memory of 4868	2924	cmd.exe	99
PID 2924 wrote to memory of 4868	2924	cmd.exe	99
PID 4120 wrote to memory of 2808	4120	InstallUtil.exe	100
PID 4120 wrote to memory of 2808	4120	InstallUtil.exe	100
PID 4120 wrote to memory of 2808	4120	InstallUtil.exe	100
PID 2808 wrote to memory of 4928	2808	cmd.exe	102
PID 2808 wrote to memory of 4928	2808	cmd.exe	102
PID 2808 wrote to memory of 4928	2808	cmd.exe	102
PID 1388 wrote to memory of 4524	1388	cmd.exe	103
PID 1388 wrote to memory of 4524	1388	cmd.exe	103
PID 1388 wrote to memory of 4524	1388	cmd.exe	103
PID 2808 wrote to memory of 4428	2808	cmd.exe	107
PID 2808 wrote to memory of 4428	2808	cmd.exe	107
PID 2808 wrote to memory of 4428	2808	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe
"C:\Users\Admin\AppData\Local\Temp\Ehhbsuuemv.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe
  "C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpECA2.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1920
  - - C:\Users\Admin\AppData\Roaming\Google Update.exe
      "C:\Users\Admin\AppData\Roaming\Google Update.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Google Update" /tr '"C:\Users\Admin\AppData\Roaming\Google Update.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF2AD.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4928
  - - C:\Users\Admin\AppData\Roaming\Google Update.exe
      "C:\Users\Admin\AppData\Roaming\Google Update.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Google Update.exe.log

Filesize
950B

MD5
f7a49804289daba7de5b3b77408276f7

SHA1
43dc40ddb1d6e081d52671a56ecefbcb4545e32c

SHA256
6b79cf98a0976e2e43f4e9fae56b57910360503435ff027b87e481d5c3b68892

SHA512
4e0dd3d97bb9cab135c649fac821c9664cad91f4e22fa883b426e20620affce41878981c7f20a3d859027a890304886c186e463ea0df17a184562ee6a1e48d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtuyzzclient6.exe

Filesize
74KB

MD5
1f304261de14934db9384720c638744a

SHA1
b98f60e6feea77a31363d5a686e7be40f6cfc049

SHA256
ab23ec09d1ea7a359bd834f2fef7aa5272e8f643e9c27cb2bfe8869a6e447e87

SHA512
01f29cf8553d72070c56b953c23771fef9e4aba31b733b001f7b8a1e49e2cf02d120b21baf76ccfa9040548ed603c0308c95a4fedce7b4749fc01baf3c4fc826

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpECA2.tmp.bat

Filesize
157B

MD5
dfca17a60eff55e49d6e7e5e37900403

SHA1
a32dfb6f885dbd428643eb37ac560b46e47bd4b8

SHA256
2d952f987504f8b6d52fdfef3d370d2fefbcb60899372091818b98b98090abdc

SHA512
d596d5ffe689a76053061b656034aa5b9e56c9194c22459ced66209952d29b52b5e5292f324536977b8e94da8c163fa25fbe9b7ad40eb71e8880536b98777d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF2AD.tmp.bat

Filesize
157B

MD5
0ec9451077262e70a46e00a1a5e83014

SHA1
8e0c7fb4eeadb36c102b3a16dcab4479b6b5554d

SHA256
360fa6020b4182aa58a961492beeac41d51e80158aab0b66ba2c7d9529e3065a

SHA512
c5367719240f64eaf531ed887a677ba6eccda3866c910520c2a9c93f1a12578f8ff56a38622dca1b53a515b3a1c87039db809945ce865ede9edcfb9ff27a7cb1

Download Submit
C:\Users\Admin\AppData\Roaming\Google Update.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/624-36-0x00007FFBFC660000-0x00007FFBFD121000-memory.dmp

Filesize
10.8MB

Download
memory/624-29-0x00007FFBFC660000-0x00007FFBFD121000-memory.dmp

Filesize
10.8MB

Download
memory/624-22-0x00007FFBFC663000-0x00007FFBFC665000-memory.dmp

Filesize
8KB

Download
memory/624-23-0x00000000006E0000-0x00000000006F8000-memory.dmp

Filesize
96KB

Download
memory/2788-6-0x000000000A8E0000-0x000000000A9EA000-memory.dmp

Filesize
1.0MB

Download
memory/2788-2-0x00000000096C0000-0x0000000009C64000-memory.dmp

Filesize
5.6MB

Download
memory/2788-9-0x000000000AD40000-0x000000000AD62000-memory.dmp

Filesize
136KB

Download
memory/2788-8-0x000000000AC80000-0x000000000AD12000-memory.dmp

Filesize
584KB

Download
memory/2788-1-0x00000000003F0000-0x0000000004854000-memory.dmp

Filesize
68.4MB

Download
memory/2788-27-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2788-7-0x000000000AAF0000-0x000000000AB18000-memory.dmp

Filesize
160KB

Download
memory/2788-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/2788-10-0x000000000AD70000-0x000000000B0C4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-3-0x0000000009110000-0x00000000091A2000-memory.dmp

Filesize
584KB

Download
memory/2788-5-0x00000000092A0000-0x00000000092AA000-memory.dmp

Filesize
40KB

Download
memory/2788-4-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4120-31-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4120-30-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/4120-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4524-48-0x00000000049F0000-0x0000000004A0A000-memory.dmp

Filesize
104KB

Download
memory/4524-47-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download