0e173c2a2d3d5e7b98d3e93423e6f3cb906459ff9a61d9e7c451787411995612

General

Target

ASTRAL 2.0/Astral.exe
Size

12.8MB
MD5

1ee5f98fbb806a712f1b604fc4c4c28a
SHA1

cdad412d23992b37dacb37286e9c149cef5fd05f
SHA256

566fed7c0f5027414066594ef3580224795683be610d005d414ef1bdd6ae455d
SHA512

01e261de6fce9309798d56cfba21dfe535bfee555c47a42fbbd9dce8dcb3c2e6144200a14bf01aa9bcc53a32116fd7b522f120cdcc708b3874e829f7cfd58b0f
SSDEEP

196608:8R8RPkEivhLzXkZgJPCryHhM1Y2PyIiT8S6RDYv7L1IOUTcEdfL:8R8RPkRvh/JWyHySTKU7L1p2cE

Score

7^/10

agilenet

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Astral.exe

pid process

2164 Astral.exe

pid	process
2164	Astral.exe

Obfuscated with Agile.Net obfuscator 30 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2164-148-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-149-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-151-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-153-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-155-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-158-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-160-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-162-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-164-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-166-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-168-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-170-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-172-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-174-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-176-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-178-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-180-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-182-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-184-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-186-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-188-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-190-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-192-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-194-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-196-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-198-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-200-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-202-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-204-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net
behavioral1/memory/2164-206-0x000002293FD50000-0x000002293FF14000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Astral.exe

pid process

2164 Astral.exe
2164 Astral.exe
2164 Astral.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Astral.exe

pid process

2164 Astral.exe
2164 Astral.exe
2164 Astral.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Astral.exe

description pid process

Token: SeDebugPrivilege 2164 Astral.exe

pid	process
2164	Astral.exe
2164	Astral.exe
2164	Astral.exe

pid	process
2164	Astral.exe
2164	Astral.exe
2164	Astral.exe

description	pid	process
Token: SeDebugPrivilege	2164	Astral.exe

C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe
"C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cf4f3925-9c0a-450a-9184-9807a418352a\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf4f3925-9c0a-450a-9184-9807a418352a\GunaDotNetRT64.dll
Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
memory/2164-172-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-10654-0x000002293E170000-0x000002293E180000-memory.dmp

Filesize
64KB

Download
memory/2164-140-0x000002293E170000-0x000002293E180000-memory.dmp

Filesize
64KB

Download
memory/2164-176-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-135-0x00007FFA5EBE0000-0x00007FFA5EBE2000-memory.dmp

Filesize
8KB

Download
memory/2164-134-0x00007FFA5EBD0000-0x00007FFA5EBD2000-memory.dmp

Filesize
8KB

Download
memory/2164-147-0x00007FFA3EFC0000-0x00007FFA3F10E000-memory.dmp

Filesize
1.3MB

Download
memory/2164-148-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-149-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-151-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-153-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-155-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-158-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-157-0x00007FFA501C0000-0x00007FFA501E7000-memory.dmp

Filesize
156KB

Download
memory/2164-160-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-162-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-164-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-180-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-168-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-170-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-133-0x00000229224A0000-0x0000022923170000-memory.dmp

Filesize
12.8MB

Download
memory/2164-174-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-139-0x0000022924DA0000-0x0000022924DA1000-memory.dmp

Filesize
4KB

Download
memory/2164-136-0x00007FFA3DA50000-0x00007FFA3E332000-memory.dmp

Filesize
8.9MB

Download
memory/2164-166-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-182-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-184-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-186-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-188-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-190-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-192-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-194-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-196-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-198-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-200-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-202-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-204-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-206-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-408-0x000002293E170000-0x000002293E180000-memory.dmp

Filesize
64KB

Download
memory/2164-842-0x00007FFA501C0000-0x00007FFA501E7000-memory.dmp

Filesize
156KB

Download
memory/2164-10651-0x000002293E170000-0x000002293E180000-memory.dmp

Filesize
64KB

Download
memory/2164-10652-0x000002293E170000-0x000002293E180000-memory.dmp

Filesize
64KB

Download
memory/2164-10653-0x000002293E170000-0x000002293E180000-memory.dmp

Filesize
64KB

Download
memory/2164-178-0x000002293FD50000-0x000002293FF14000-memory.dmp

Filesize
1.8MB

Download
memory/2164-10655-0x00007FFA501C0000-0x00007FFA501E7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing