Analysis Overview
SHA256
2199752fcd7d8761556b8da40c3509c9fdaa4627e031f0fa32f3d6c103789a3e
Threat Level: Shows suspicious behavior
The file S_-_500_RAT_G3_2022_Anonymous.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-09 12:06
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-09 12:06
Reported
2023-04-09 12:13
Platform
win10-20230220-en
Max time kernel
358s
Max time network
317s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\S500RAT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\S500RAT.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous.rar"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\" -spe -an -ai#7zMap24880:138:7zEvent3191
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\S500RAT.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.2:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\S500RAT.exe
| MD5 | 22e3b5c6b876c3a3195301daa78a74c9 |
| SHA1 | 120e4286764977253acf63d7db8bb33880c3f8d2 |
| SHA256 | 02c370db69059ca56ef2346846ec0a23f4e56185a9c13f50a13dd0db894e2d0c |
| SHA512 | ce3e51c28a87cdff9c6531b8f4ac321c91a8fb2b31eb0fd03b19da8aaea4d040c755585c488c3446a5cfb843b60a8c28998f3babfc3e2bce47d4e8d6af46401d |
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\S500RAT.exe
| MD5 | 22e3b5c6b876c3a3195301daa78a74c9 |
| SHA1 | 120e4286764977253acf63d7db8bb33880c3f8d2 |
| SHA256 | 02c370db69059ca56ef2346846ec0a23f4e56185a9c13f50a13dd0db894e2d0c |
| SHA512 | ce3e51c28a87cdff9c6531b8f4ac321c91a8fb2b31eb0fd03b19da8aaea4d040c755585c488c3446a5cfb843b60a8c28998f3babfc3e2bce47d4e8d6af46401d |
memory/4836-577-0x000001E7A6100000-0x000001E7A7240000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\Guna.UI2.dll
| MD5 | 0f07705bd42d86d77dab085c42775244 |
| SHA1 | 7e4b5c367183f4753a8d610e353c458c3def3888 |
| SHA256 | cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443 |
| SHA512 | 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0 |
memory/4836-579-0x000001E7C1AB0000-0x000001E7C1CA2000-memory.dmp
memory/4836-580-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
\Users\Admin\AppData\Local\Temp\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll
| MD5 | 9c43f77cb7cff27cb47ed67babe3eda5 |
| SHA1 | b0400cf68249369d21de86bd26bb84ccffd47c43 |
| SHA256 | f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e |
| SHA512 | cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7 |
C:\Users\Admin\AppData\Local\Temp\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll
| MD5 | 9c43f77cb7cff27cb47ed67babe3eda5 |
| SHA1 | b0400cf68249369d21de86bd26bb84ccffd47c43 |
| SHA256 | f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e |
| SHA512 | cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7 |
memory/4836-587-0x00007FF8C7E20000-0x00007FF8C7F4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\SunnyUI.dll
| MD5 | af527b22b92a23c38a492c5961cf2643 |
| SHA1 | 15106adfa13415287b3e9d8deba21df53cb92eda |
| SHA256 | 4208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a |
| SHA512 | 543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c |
memory/4836-589-0x000001E7C20F0000-0x000001E7C2330000-memory.dmp
memory/4836-590-0x00007FF8D9C60000-0x00007FF8D9C87000-memory.dmp
memory/4836-591-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-592-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-593-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-594-0x000001E7C3840000-0x000001E7C3872000-memory.dmp
memory/4836-596-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-595-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-597-0x000001E7C2330000-0x000001E7C2F6F000-memory.dmp
memory/4836-599-0x000001E7C6380000-0x000001E7C638C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\initialization.dll
| MD5 | 3aaae3cec15b86693ae9fb8e1507c872 |
| SHA1 | ed8d0a139c609eb886482718ec2ecf96cbbe8c84 |
| SHA256 | a027b6b344e5a637bc8377fe58166273d2b76e92ff8c66bd505d46c21fe3b21b |
| SHA512 | 407558e01ade1832bb021b5af0209e7a6bef98ab35b9f4723a1add48362bd13f566697a8fb41af48c0bb15ca13585f9c09ac8d5da0feb322798c778b09cf4463 |
memory/4836-600-0x000001E7C8670000-0x000001E7C8682000-memory.dmp
memory/4836-601-0x000001E7C6390000-0x000001E7C639A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\Certificate\ServerCertificate.p12
| MD5 | c60e527a85f285ddc66c2fcf160b1be7 |
| SHA1 | abcf2b6bffea9f0f30190783f6eae2434ef7a9a8 |
| SHA256 | 35c46a9e9dc60a74a25572e743794a31fecd08672813d349a39f2d13b01e789f |
| SHA512 | 77a661544c2d7f2d8b870cdd503b806aea6de3a2b5aee19327c05aeef137a1df3661d249219fe73e7a300189c732efeb5d2004226c6e429fa024f1d3b1dec84e |
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\SunnyUI.Common.dll
| MD5 | 17cbdd9e4cb0ede2fad8c08c05fdaa84 |
| SHA1 | 74bc0ea3e8bd64c6752b6c0adac1bfe2b313416c |
| SHA256 | d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441 |
| SHA512 | 1948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a |
memory/4836-606-0x000001E7C86D0000-0x000001E7C870C000-memory.dmp
memory/4836-607-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-608-0x00007FF8D9C60000-0x00007FF8D9C87000-memory.dmp
memory/4836-609-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-611-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-610-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-612-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-613-0x000001E7C16A0000-0x000001E7C16B0000-memory.dmp
memory/4836-622-0x000001E7FF9D0000-0x000001E7FFAD0000-memory.dmp
memory/4836-624-0x000001E7FF9D0000-0x000001E7FFAD0000-memory.dmp
memory/4836-628-0x000001E7FF9D0000-0x000001E7FFAD0000-memory.dmp
memory/4836-630-0x000001E7FF9D0000-0x000001E7FFAD0000-memory.dmp