Analysis
-
max time kernel
1444s -
max time network
1232s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14/04/2023, 01:58
Static task
static1
Behavioral task
behavioral1
Sample
ASTRAL 2.0/Astral.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
ASTRAL 2.0/DNGRTx64.dll
Resource
win10v2004-20230220-en
General
-
Target
ASTRAL 2.0/Astral.exe
-
Size
12.8MB
-
MD5
1ee5f98fbb806a712f1b604fc4c4c28a
-
SHA1
cdad412d23992b37dacb37286e9c149cef5fd05f
-
SHA256
566fed7c0f5027414066594ef3580224795683be610d005d414ef1bdd6ae455d
-
SHA512
01e261de6fce9309798d56cfba21dfe535bfee555c47a42fbbd9dce8dcb3c2e6144200a14bf01aa9bcc53a32116fd7b522f120cdcc708b3874e829f7cfd58b0f
-
SSDEEP
196608:8R8RPkEivhLzXkZgJPCryHhM1Y2PyIiT8S6RDYv7L1IOUTcEdfL:8R8RPkRvh/JWyHySTKU7L1p2cE
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2164 Astral.exe -
Obfuscated with Agile.Net obfuscator 30 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2164-148-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-149-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-151-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-153-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-155-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-158-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-160-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-162-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-164-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-166-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-168-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-170-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-172-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-174-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-176-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-178-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-180-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-182-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-184-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-186-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-188-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-190-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-192-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-194-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-196-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-198-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-200-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-202-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-204-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net behavioral1/memory/2164-206-0x000002293FD50000-0x000002293FF14000-memory.dmp agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2164 Astral.exe 2164 Astral.exe 2164 Astral.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2164 Astral.exe 2164 Astral.exe 2164 Astral.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2164 Astral.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe"C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD59c43f77cb7cff27cb47ed67babe3eda5
SHA1b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7
-
Filesize
142KB
MD59c43f77cb7cff27cb47ed67babe3eda5
SHA1b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7