Malware Analysis Report

2025-06-15 21:43

Sample ID 230414-cdxk4afe42
Target Astral.rar
SHA256 0e173c2a2d3d5e7b98d3e93423e6f3cb906459ff9a61d9e7c451787411995612
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0e173c2a2d3d5e7b98d3e93423e6f3cb906459ff9a61d9e7c451787411995612

Threat Level: Shows suspicious behavior

The file Astral.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-14 01:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-14 01:58

Reported

2023-04-14 02:28

Platform

win10v2004-20230220-en

Max time kernel

1444s

Max time network

1232s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe

"C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\Astral.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
GB 95.101.143.105:443 assets.msn.com tcp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 105.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 138.238.32.23.in-addr.arpa udp
US 20.189.173.12:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/2164-133-0x00000229224A0000-0x0000022923170000-memory.dmp

memory/2164-134-0x00007FFA5EBD0000-0x00007FFA5EBD2000-memory.dmp

memory/2164-135-0x00007FFA5EBE0000-0x00007FFA5EBE2000-memory.dmp

memory/2164-136-0x00007FFA3DA50000-0x00007FFA3E332000-memory.dmp

memory/2164-140-0x000002293E170000-0x000002293E180000-memory.dmp

memory/2164-139-0x0000022924DA0000-0x0000022924DA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cf4f3925-9c0a-450a-9184-9807a418352a\GunaDotNetRT64.dll

MD5 9c43f77cb7cff27cb47ed67babe3eda5
SHA1 b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256 f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512 cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

C:\Users\Admin\AppData\Local\Temp\cf4f3925-9c0a-450a-9184-9807a418352a\GunaDotNetRT64.dll

MD5 9c43f77cb7cff27cb47ed67babe3eda5
SHA1 b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256 f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512 cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

memory/2164-147-0x00007FFA3EFC0000-0x00007FFA3F10E000-memory.dmp

memory/2164-148-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-149-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-151-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-153-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-155-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-158-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-157-0x00007FFA501C0000-0x00007FFA501E7000-memory.dmp

memory/2164-160-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-162-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-164-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-166-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-168-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-170-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-172-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-174-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-176-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-178-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-180-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-182-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-184-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-186-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-188-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-190-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-192-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-194-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-196-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-198-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-200-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-202-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-204-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-206-0x000002293FD50000-0x000002293FF14000-memory.dmp

memory/2164-408-0x000002293E170000-0x000002293E180000-memory.dmp

memory/2164-842-0x00007FFA501C0000-0x00007FFA501E7000-memory.dmp

memory/2164-10651-0x000002293E170000-0x000002293E180000-memory.dmp

memory/2164-10652-0x000002293E170000-0x000002293E180000-memory.dmp

memory/2164-10653-0x000002293E170000-0x000002293E180000-memory.dmp

memory/2164-10654-0x000002293E170000-0x000002293E180000-memory.dmp

memory/2164-10655-0x00007FFA501C0000-0x00007FFA501E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-14 01:58

Reported

2023-04-14 02:28

Platform

win10v2004-20230220-en

Max time kernel

1533s

Max time network

1575s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\DNGRTx64.dll",#1

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ASTRAL 2.0\DNGRTx64.dll",#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 2688 -ip 2688

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2688 -s 340

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 52.152.108.96:443 tcp
US 209.197.3.8:80 tcp
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp

Files

memory/2688-133-0x00007FFE03510000-0x00007FFE03512000-memory.dmp

memory/2688-134-0x00007FFE03520000-0x00007FFE03522000-memory.dmp

memory/2688-135-0x00007FFDE4800000-0x00007FFDE50E2000-memory.dmp

memory/2688-138-0x000002123A6C0000-0x000002123A6C1000-memory.dmp