Overview
overview
10Static
static
10AnkaBotPC_...ot.exe
windows7-x64
1AnkaBotPC_...ot.exe
windows10-2004-x64
7AnkaBotPC_...er.exe
windows7-x64
1AnkaBotPC_...er.exe
windows10-2004-x64
1AnkaBotPC_...xy.exe
windows7-x64
5AnkaBotPC_...xy.exe
windows10-2004-x64
5AnkaBotPC_...er.exe
windows7-x64
1AnkaBotPC_...er.exe
windows10-2004-x64
1AnkaBotPC_...on.exe
windows7-x64
1AnkaBotPC_...on.exe
windows10-2004-x64
1AnkaBotPC_...m.html
windows7-x64
1AnkaBotPC_...m.html
windows10-2004-x64
1AnkaBotPC_...47.dll
windows7-x64
3AnkaBotPC_...47.dll
windows10-2004-x64
3AnkaBotPC_...eg.dll
windows7-x64
1AnkaBotPC_...eg.dll
windows10-2004-x64
1AnkaBotPC_...GL.dll
windows7-x64
1AnkaBotPC_...GL.dll
windows10-2004-x64
1AnkaBotPC_...v2.dll
windows7-x64
3AnkaBotPC_...v2.dll
windows10-2004-x64
3AnkaBotPC_...GL.dll
windows7-x64
1AnkaBotPC_...GL.dll
windows10-2004-x64
1AnkaBotPC_...v2.dll
windows7-x64
1AnkaBotPC_...v2.dll
windows10-2004-x64
1AnkaBotPC_...er.dll
windows7-x64
3AnkaBotPC_...er.dll
windows10-2004-x64
3AnkaBotPC_...-1.dll
windows7-x64
3AnkaBotPC_...-1.dll
windows10-2004-x64
3AnkaBotPC_...ss.exe
windows7-x64
10AnkaBotPC_...ss.exe
windows10-2004-x64
10AnkaBotPC_...er.dll
windows7-x64
1AnkaBotPC_...er.dll
windows10-2004-x64
1Analysis
-
max time kernel
159s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
15-02-2023 17:24
Behavioral task
behavioral1
Sample
AnkaBotPC_4.0.5/AnkaBotPC/AnkaBot.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
AnkaBotPC_4.0.5/AnkaBotPC/AnkaBot.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
AnkaBotPC_4.0.5/AnkaBotPC/AnkaBotCrashHandler.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
AnkaBotPC_4.0.5/AnkaBotPC/AnkaBotCrashHandler.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
AnkaBotPC_4.0.5/AnkaBotPC/AnkaBotProxy.exe
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
AnkaBotPC_4.0.5/AnkaBotPC/AnkaBotProxy.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
AnkaBotPC_4.0.5/AnkaBotPC/AnkaBotUpdater.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
AnkaBotPC_4.0.5/AnkaBotPC/AnkaBotUpdater.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/Application.exe
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/Application.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/LICENSES.chromium.html
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/LICENSES.chromium.html
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/d3dcompiler_47.dll
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/d3dcompiler_47.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/ffmpeg.dll
Resource
win7-20221111-en
Behavioral task
behavioral16
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/ffmpeg.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/libEGL.dll
Resource
win7-20221111-en
Behavioral task
behavioral18
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/libEGL.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/libGLESv2.dll
Resource
win7-20220901-en
Behavioral task
behavioral20
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/libGLESv2.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/swiftshader/libEGL.dll
Resource
win7-20220812-en
Behavioral task
behavioral22
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/swiftshader/libEGL.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral23
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/swiftshader/libGLESv2.dll
Resource
win7-20221111-en
Behavioral task
behavioral24
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/swiftshader/libGLESv2.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral25
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/vk_swiftshader.dll
Resource
win7-20220901-en
Behavioral task
behavioral26
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/vk_swiftshader.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/vulkan-1.dll
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Application/vulkan-1.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Bypass.exe
Resource
win7-20221111-en
Behavioral task
behavioral30
Sample
AnkaBotPC_4.0.5/AnkaBotPC/Bypass.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral31
Sample
AnkaBotPC_4.0.5/AnkaBotPC/MoonSharp.Interpreter.dll
Resource
win7-20221111-en
Behavioral task
behavioral32
Sample
AnkaBotPC_4.0.5/AnkaBotPC/MoonSharp.Interpreter.dll
Resource
win10v2004-20220901-en
General
-
Target
AnkaBotPC_4.0.5/AnkaBotPC/Bypass.exe
-
Size
66KB
-
MD5
ed8ed2bfb05f2f2a5496c4d32095c34b
-
SHA1
57002f5bf97a9ddf1aafd909dcc676e60343d322
-
SHA256
8cabd58822919c0a30ddc7a507e4a55a5d314ec466224791d7814711cf373f6c
-
SHA512
e55c939802586f0b1525dc6e6c8964c37edec8c35b0bfcbd08998807d2c6a4a0d05db6100fc6312be983c585b2270e39d113e7a72a13a8403588a64710be39d1
-
SSDEEP
1536:ToUWMO7oo0sS7UAkj9O8QQHFdCxlTk/sbbXApJZLTD9VclN:TJof9O8QQHFPsbbXI7PY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.0
Default
141.98.11.72:4449
sdtgyxyhor
-
delay
1
-
install
true
-
install_file
Ankabotkey.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral29/memory/828-54-0x0000000001200000-0x0000000001216000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\Ankabotkey.exe asyncrat C:\Users\Admin\AppData\Roaming\Ankabotkey.exe asyncrat behavioral29/memory/284-63-0x0000000000350000-0x0000000000366000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Ankabotkey.exepid process 284 Ankabotkey.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1092 timeout.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Bypass.exeAnkabotkey.exepid process 828 Bypass.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe 284 Ankabotkey.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bypass.exeAnkabotkey.exedescription pid process Token: SeDebugPrivilege 828 Bypass.exe Token: SeDebugPrivilege 284 Ankabotkey.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Bypass.execmd.execmd.exedescription pid process target process PID 828 wrote to memory of 1048 828 Bypass.exe cmd.exe PID 828 wrote to memory of 1048 828 Bypass.exe cmd.exe PID 828 wrote to memory of 1048 828 Bypass.exe cmd.exe PID 828 wrote to memory of 1156 828 Bypass.exe cmd.exe PID 828 wrote to memory of 1156 828 Bypass.exe cmd.exe PID 828 wrote to memory of 1156 828 Bypass.exe cmd.exe PID 1048 wrote to memory of 1700 1048 cmd.exe schtasks.exe PID 1048 wrote to memory of 1700 1048 cmd.exe schtasks.exe PID 1048 wrote to memory of 1700 1048 cmd.exe schtasks.exe PID 1156 wrote to memory of 1092 1156 cmd.exe timeout.exe PID 1156 wrote to memory of 1092 1156 cmd.exe timeout.exe PID 1156 wrote to memory of 1092 1156 cmd.exe timeout.exe PID 1156 wrote to memory of 284 1156 cmd.exe Ankabotkey.exe PID 1156 wrote to memory of 284 1156 cmd.exe Ankabotkey.exe PID 1156 wrote to memory of 284 1156 cmd.exe Ankabotkey.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnkaBotPC_4.0.5\AnkaBotPC\Bypass.exe"C:\Users\Admin\AppData\Local\Temp\AnkaBotPC_4.0.5\AnkaBotPC\Bypass.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Ankabotkey" /tr '"C:\Users\Admin\AppData\Roaming\Ankabotkey.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Ankabotkey" /tr '"C:\Users\Admin\AppData\Roaming\Ankabotkey.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8122.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Ankabotkey.exe"C:\Users\Admin\AppData\Roaming\Ankabotkey.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8122.tmp.batFilesize
154B
MD55cddc4444d51c6417139844b96300d0b
SHA1ea5100b6afe19224d75e458ca16e44f6a30a8d55
SHA2569dd569f9ea5db43dbc216e0e8a279bb28bebd41d11585d17525e32ee71c9b655
SHA5129ad7f2cbf8d804a0dca968f6401c9f57d2fa5876a1613475d3d6ba2bc299c0a2aead99a7bd0bedbf1288ddb61d09ba50e8e62afbc44a9e801efde82225cb8e3b
-
C:\Users\Admin\AppData\Roaming\Ankabotkey.exeFilesize
66KB
MD5ed8ed2bfb05f2f2a5496c4d32095c34b
SHA157002f5bf97a9ddf1aafd909dcc676e60343d322
SHA2568cabd58822919c0a30ddc7a507e4a55a5d314ec466224791d7814711cf373f6c
SHA512e55c939802586f0b1525dc6e6c8964c37edec8c35b0bfcbd08998807d2c6a4a0d05db6100fc6312be983c585b2270e39d113e7a72a13a8403588a64710be39d1
-
C:\Users\Admin\AppData\Roaming\Ankabotkey.exeFilesize
66KB
MD5ed8ed2bfb05f2f2a5496c4d32095c34b
SHA157002f5bf97a9ddf1aafd909dcc676e60343d322
SHA2568cabd58822919c0a30ddc7a507e4a55a5d314ec466224791d7814711cf373f6c
SHA512e55c939802586f0b1525dc6e6c8964c37edec8c35b0bfcbd08998807d2c6a4a0d05db6100fc6312be983c585b2270e39d113e7a72a13a8403588a64710be39d1
-
memory/284-60-0x0000000000000000-mapping.dmp
-
memory/284-63-0x0000000000350000-0x0000000000366000-memory.dmpFilesize
88KB
-
memory/828-54-0x0000000001200000-0x0000000001216000-memory.dmpFilesize
88KB
-
memory/1048-55-0x0000000000000000-mapping.dmp
-
memory/1092-59-0x0000000000000000-mapping.dmp
-
memory/1156-56-0x0000000000000000-mapping.dmp
-
memory/1700-57-0x0000000000000000-mapping.dmp