General

  • Target

    S500 RAT.rar

  • Size

    9.4MB

  • Sample

    230801-t3ng6aaf2y

  • MD5

    88837b75720607f1c44ddff03510be64

  • SHA1

    d81336fd41336924b30ed56877e18ff119f2af89

  • SHA256

    1c757f9a1207133426cb3e337a7b32c28713bb764d8fd66a14995867f792ec85

  • SHA512

    d985dd203bf2846c283682be813d22cc7dc89e21fa52ff0de68adccfb202611753baa3a4303bec721d469be7759cc1f11def61d5f49a7582c14a5d4cf765db56

  • SSDEEP

    196608:Ckz5AKib1SAUmQK29VJ5z7Az8xJ7qxhMdcn4MUkhtiuOBp7KgzmECy4q7:7xg1xQK2NFkzA6MdA4MFMBp7nzme7

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/sb54d2/raw

Targets

    • Target

      BouncyCastle.Crypto.dll

    • Size

      2.5MB

    • MD5

      3551343fab213740bbb022e3a6dcf27b

    • SHA1

      de67fb4f9d58db4a860a703c8d1f54ff00ff9b1f

    • SHA256

      5530dff976bc0c889076b97ca695bdb97ef07f63449d32f893ed32398ed8bfe6

    • SHA512

      e90f51053e1d4b0ea1f7458229de92174abf0781c766290da4de5cc8dfcfb730998252bf28b36ca5070978fdcea8b97f0aea6a47b875dd34173643ac0cb46c42

    • SSDEEP

      49152:3CTzhVM0AU5d3UOhq8hmReOUJfd5T3D+VTQlgQeCKbu9kQLO0:GwU5d3vhzhmoOmfd5rqX0

    Score
    1/10
    • Target

      Compression7zip.dll

    • Size

      40KB

    • MD5

      cbc44e5fc144b9e998b1d98452a87c06

    • SHA1

      b1dd5c67f1e37bf1b40ca5abb031899a09798b1d

    • SHA256

      1c167173ee4f36732bec73ac19fd774b3bd606c8c5d46cd35194093f642b711c

    • SHA512

      38fce2c86225115d7aa19fadb5567fbfee4a75e30a93440d0ae0ca800767ad27e3689de0a9a953f79f5bfa16aba5ad232cad4154889f510b51ef32185f6a4fdc

    • SSDEEP

      768:eGDJdsdPCIxoHXNo2/z/heU/FLlPRnHdytMnRixGpiLuqAdIkUlGAxrID/Pve7E9:tDJdT/9eU/FJZnvBhq7k1Xve72

    Score
    1/10
    • Target

      FastColoredTextBox.dll

    • Size

      298KB

    • MD5

      020afdfc4f034027354b9f33fe0900cb

    • SHA1

      cf323c82de0ce24147033008d086a380a9f04868

    • SHA256

      8f9d26773e9a13779c4e1cd498ba484f31d2459df4cdfbb274919c316a8825b0

    • SHA512

      02c97d3361a365396b6eab5d09213330609f37a6f233d86fd7cb9859d1e7622a9d81d2a9201223703f510974d42a97596b16d0945cd34ba1ecd31d3760c68ea8

    • SSDEEP

      6144:Z/P+T2FFt0aWXsA7m25bmxbLampiI/nlsqJLDd5eNrgs:J+TuroVmRlb4IvZeNs

    Score
    1/10
    • Target

      Gry73.dll

    • Size

      45KB

    • MD5

      b3d076f3125fa03d8f97a9fef0b42a5e

    • SHA1

      3f4ef3de41a8f3b7adcf79cc031fb4de12265304

    • SHA256

      21f68f41aadfc44c994ef9a4394d910250a4c9e43f4d8c43b3015f5390014819

    • SHA512

      27ab2e34c44a720a6f836d5892dcf1cb426bc20bced7e218799a7d6cf57b5e1e8719e3bb580a5d1be623e91a5e9333298541395d774bf6af4fdeacf855867f13

    • SSDEEP

      768:PX5Ii8RZqHCPLq6vt/3pjsK/ZvT+T84o4snonmeTz6dXJyZ:PX28CDq63pjsKtaT8nXC/TkXJi

    Score
    1/10
    • Target

      Guna.UI2.dll

    • Size

      1.9MB

    • MD5

      0f07705bd42d86d77dab085c42775244

    • SHA1

      7e4b5c367183f4753a8d610e353c458c3def3888

    • SHA256

      cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443

    • SHA512

      851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

    • SSDEEP

      24576:m8Yq6KN2liAVp0j4DuJPbTzcH7DlktjfEzgKxGgcKM8Q3xajfgY236RYgPNsP:drCqfE0KctKM8Qv6RYgPY

    Score
    1/10
    • Target

      LiveCharts.Wpf.dll

    • Size

      212KB

    • MD5

      e924f79f0b5f3e79c98477d75831813d

    • SHA1

      64f71e20e1953b13c771d8a8e63549ad6d64216e

    • SHA256

      1bdbb1b5c1a50653e5c26161e9b7c03edc518721a6e10ea180a84049d967106b

    • SHA512

      063e9bdbdaf0accb46cef5fdb98b30a97b8a6ba097a80d43a9799ff73e820d1c56d41ca9f71d94497736e3def7fbd0109db4000ab1d9e46cdc96357bf3e15fd1

    • SSDEEP

      6144:d/vd0eaDQcUc0GkiTV3bkACA3AloBtefVt+aA2xgKPo1zlW1w:vaErjGkiTV3bkACA3AloBtefVt+aAGBF

    Score
    1/10
    • Target

      LiveCharts.dll

    • Size

      148KB

    • MD5

      9642899636959b7fc89bf34a8b998a90

    • SHA1

      479a0254d1c9e5565c7d861bb77f54b7eae50c96

    • SHA256

      9fcf89837b60f69c1c501e4cfa4d2860887afd0b8f325803367e795a4e3bc9ca

    • SHA512

      435dccb57ff3e9d0663770768c866838b19fbaa5b8e79de0ca111d9c73276f016e016d1d268f72cf3435ecac122039764fada952e1a4f68f368b492bb866c9a2

    • SSDEEP

      3072:saegvMNVoz3Vlw6/R3z3MV1IdJJGVKWHC2KdxFFT9lzo:VFJlwYMVWY65z

    Score
    1/10
    • Target

      MetroFramework.dll

    • Size

      345KB

    • MD5

      34ea7f7d66563f724318e322ff08f4db

    • SHA1

      d0aa8038a92eb43def2fffbbf4114b02636117c5

    • SHA256

      c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

    • SHA512

      dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

    • SSDEEP

      6144:M4S7k5hdCpU4YqfkUGz6KpQQZQHDXjNCdOZgLdL5DXBK:M4S7k5hdCEQHP1Zgj

    Score
    1/10
    • Target

      Obfuscation.dll

    • Size

      22KB

    • MD5

      0dac4ba4180115bcbafced522b94970a

    • SHA1

      d70457578f3e0db24ecab84323854c7c7a724f61

    • SHA256

      8cb9ede1fd8c60691503b77c3ef52b35881a2555057cb5557341cd8c89e752de

    • SHA512

      b27329c07ed0f671aa109cdd49d2c32d84031dc64a290f9447864aee0975cc0662179f0c684c5feacb6ca7f99b9eb483bbc74a79234c741f69efeff76ad0c87a

    • SSDEEP

      384:KTvtklEbiXejlVExwehhLzb5s5TbRRyLGv4Jv7ZEIbioxY:lEbiSPExZhV4BvQzZE/oxY

    Score
    1/10
    • Target

      QuickLZLibrary.dll

    • Size

      7KB

    • MD5

      c2c2fda4de7694638f7db9251d9f5b3f

    • SHA1

      067c2716157f81eb0dee221b8284826ecc999438

    • SHA256

      84010ec684909d229dae5c004f83a3b4d103a7e6f7169c9668be42916196d39d

    • SHA512

      1fe1aef9178452e500bc4698574ca604bdc634868914f042ae78aaeb26de266dff1ddcf2a31c154a18870514025ed5ec394c185215887db1fc090ba6e4471ac4

    • SSDEEP

      96:Vo8kCURbgvm6xActMpN/zLZLaKmpaqGp+YT5Z5sBGqVoRxi1kVCUdcyQAaE:qnVbgvm6OcGJNaKqGphTnyQxzi1kzop

    Score
    1/10
    • Target

      S500RAT.exe

    • Size

      17.8MB

    • MD5

      b285306536758d03cc4d3fa7bf598c3d

    • SHA1

      a653efb2e53150be5a0c384af74a0b9404c3b2cf

    • SHA256

      d4574bfb2b1c826290e8000e5dc3e535a723f98929f4ec0b9396ec6ab3f8fd4d

    • SHA512

      db6dfb4579551dc4e603253cea61f74ae0862f02d7a8441eda6d466951ea405cd07889763814ff25b8f726895356c36754c5144f18771aa8feaeb4da15b02d33

    • SSDEEP

      196608:YrT0y2MuVNz+K4rG0y2MuVNz+Kk0y2MuVNz+KN0y2MuVNz+KLiAB7Z0/slzLIWAq:UTdQVN4GdQVNAdQVNRdQVNfBd+2LzMu

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Stops running service(s)

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      Socks5.dll

    • Size

      45KB

    • MD5

      bcc07553084bda379f68d386fe4886ad

    • SHA1

      4e575358c91f0cc1abd91e6d574336e6118abb85

    • SHA256

      39b5c1092cb7cd2ca9a8704f37b5d97c5d104cbb6ca4b164e15ff27616bb47d6

    • SHA512

      a4877e98db5489f6b459ac777cdce6abfc9889105ea3c449f2231c85347f97b90e1853c8c9e0b8fde4834e75ef8990b131f2f8b862bd74d19efea79a35afb75a

    • SSDEEP

      768:Ca6RgXQvsxcn7GHvRUy3y8MUtiITnwp4TEINV:ChqO7GHvRUuVIIL847/

    Score
    1/10
    • Target

      SunnyUI.Common.dll

    • Size

      221KB

    • MD5

      17cbdd9e4cb0ede2fad8c08c05fdaa84

    • SHA1

      74bc0ea3e8bd64c6752b6c0adac1bfe2b313416c

    • SHA256

      d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441

    • SHA512

      1948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a

    • SSDEEP

      3072:hhZAZ8ZfGPuMDFy6EDinwGGcupdEmyiQ959xNoxcG9tS1lPHx:vayAuMDtdnwldgffqcH

    Score
    1/10
    • Target

      SunnyUI.dll

    • Size

      2.2MB

    • MD5

      af527b22b92a23c38a492c5961cf2643

    • SHA1

      15106adfa13415287b3e9d8deba21df53cb92eda

    • SHA256

      4208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a

    • SHA512

      543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c

    • SSDEEP

      24576:oZzlUptCXkpfdvNCPKJf8sleX7wIU8CdSjvXUg8w5n2WB+kM64p9zgQvRu9Pv1wc:oZzlUpt0k7xF4XsI5CSj8g7/+kI5

    Score
    1/10
    • Target

      Svg.dll

    • Size

      584KB

    • MD5

      11a5dc656950ab0017d3e323a6ec34ee

    • SHA1

      d644575902b40542101d228a53c9cd1d376d6dad

    • SHA256

      f1386d1d6623687bd96861980f648a0cb5fd5beef703bd03ae02e212caa650ed

    • SHA512

      5cc372cb773ced22935b37d5465a79f634b119281e3627c1d1b9134871bf7c0d33a47a05e5bff379d4d890ce8b8928da6b74be45a5ab63bc4277b382b8ee930e

    • SSDEEP

      12288:SiyGYk4VMy6CmUigYSxx9V1jnQxZdlCG3pFb6KtXX2nrfSNT6v2q6w:SiDYkgigYSb9V1jnQxZdlCG3pFb6KtXS

    Score
    1/10
    • Target

      Tulpep.NotificationWindow.dll

    • Size

      28KB

    • MD5

      5e900a99ea361e4d0baeadb104ac7c8f

    • SHA1

      efc3655f383cce6fd25ba51f6ddf1ded3d705788

    • SHA256

      a21009898bda6a9fd598f34e5177adc602cf0d777bc4899e6c10b2e940667149

    • SHA512

      1abd166e3a3ae6fe0fdebffb73c480899597131b24674b672c93dda90de299577d081f3f692293d1fd53d090d2983240774f50f671a48ea8768b9ca053ca3a00

    • SSDEEP

      384:CBGt+WXpKeuokwNwArkyZVUUMB2zLg2JDtSC2sRBxaySYRjsUdPwzPwLPwpPwJP3:8ApzV7+Hy5dBxv1Rf5q4DH

    Score
    1/10
    • Target

      Vestris.ResourceLib.dll

    • Size

      76KB

    • MD5

      944ce5123c94c66a50376e7b37e3a6a6

    • SHA1

      a1936ac79c987a5ba47ca3d023f740401f73529b

    • SHA256

      7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a

    • SHA512

      4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b

    • SSDEEP

      1536:CSSYikTF0Z+sFGu11tIcyI1MtI9eDG3fL7:CJYD0Z9FGu11teI1r9ea3

    Score
    1/10
    • Target

      WinMic.dll

    • Size

      19KB

    • MD5

      001817cb1db39e38efb32123cc4deeaa

    • SHA1

      527297a8744ab230b04025203b637fb819039d16

    • SHA256

      fa8d7a078c13ee06d781dd2978f60dacb6df8414d678aa52254e100b2b076ffe

    • SHA512

      fa4c16cc892b8c6c55ee8d95e1dd8909e9f31a70d87944f09f23b4fb8f94e2581086b91958b67bb72dfa8c9b9eda9dbfa2c2e6a2c9677a70abbe3fb626f75479

    • SSDEEP

      384:UX6YI9/TWGAXcacj6i/i2auXiYbGhraS/7v3qBmdpP:T/TWYi2pvGhrf/7q0P

    Score
    1/10
    • Target

      WinSound.dll

    • Size

      45KB

    • MD5

      c645289085617399cd51b0f6983440e9

    • SHA1

      49ef2ac5d9faf28a4ba092d7e6c2e5420bb4c6e7

    • SHA256

      84ddf212c192026d19ec817a7fdb0e821b2288b6f50f022332c4368abd1745b0

    • SHA512

      1b46de53bb7508d09ea28452cbdd3b417479e55c8d5d999c301bcd3edfa070bfbf0d629a3f48603d950ea0eac3455bd04ab2988c72dc526aacb87446f3b99f22

    • SSDEEP

      768:TsQ6PMTqP55RJToYHVi1lNBqje0dTEJ5fnmbIP7mPOEuRolZ1i27v9SsneTbfMeq:ndGEJVn8+tRolZpSsevE

    Score
    1/10
    • Target

      cGeoIp.dll

    • Size

      2.3MB

    • MD5

      6d6e172e7965d1250a4a6f8a0513aa9f

    • SHA1

      b0fd4f64e837f48682874251c93258ee2cbcad2b

    • SHA256

      d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0

    • SHA512

      35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

    • SSDEEP

      24576:TRgJE8pkCLLe/K43EnnnclQwIqJY0OjklWXQMFBRpmkL/59ah0USm3uwl00odi9p:TRgfX/59a6USdi9Ues6bV6boLO6r

    Score
    1/10
    • Target

      crack.exe

    • Size

      74KB

    • MD5

      b755c4a6af6e4616b7174e9184d4bd01

    • SHA1

      e856e899dcd618263c28ed7f635b2a95746564a2

    • SHA256

      7bfc325de2e448380fe3ae921dddd5b4ab94432d60487d662d7b10ef2b248969

    • SHA512

      def7a5405fda0692f8bf7dbc7cfb67e2e38c6a3391b52209cf73b43b2773216e7bc399e8449d752db6fa6910387f22d7a2cd2a543f30983d13603f75a52345f0

    • SSDEEP

      1536:4N9JEPUl27ApdzzBFDzjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj:09S0rzVZzjjjjjjjjjjjjjjjjjjjjjjj

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Stops running service(s)

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      dnlib.dll

    • Size

      1.1MB

    • MD5

      aac45c09e589c34f38a169e917d21b11

    • SHA1

      c5b28a69458b22808521c58591ebe8cbe5c0a341

    • SHA256

      3d3d849446b99e7e4b10cfb76f35351ea6cfd0c6af1bbfa0b30af51416abca0d

    • SHA512

      93835eeff562984eed07c720b20ff87f891eff3cf9fc9bd7fae4c120e7879afbff3b15f1576d7c81a967a74e225706b7e4ab5b70815976e5849dfe276ce359d0

    • SSDEEP

      24576:iy6PGgxRbNwkr0DLqf1U90rDmtv7fnXet:MW60GflS

    Score
    1/10
    • Target

      initialization.dll

    • Size

      19KB

    • MD5

      39326f6ec7a9c067d05565f7b8d18ef5

    • SHA1

      3542ca68222f95027d0895091ffca04882e46a83

    • SHA256

      c6ef349244df9c312229f85b337d94edebde4979a62809c01181de1e92ab1859

    • SHA512

      3f2f6791282c069fae5d3fe383de1bb8685aa5c05148e07e73856d7225f2a774b68b11787e7c7becfe670bae39da59cb09c32858b034786cf1d2fe96148a0726

    • SSDEEP

      384:5TR8TTIHb6/DL3uvJaQTZiqYaVcZSBa2i3OFv53mTGBQ8aY:5TROTkO2wqLV2S0skGBQ8p

    Score
    1/10
    • Target

      lz4.AnyCPU.loader.dll

    • Size

      985KB

    • MD5

      c42e778fcd5838b83704a6ddabb60c39

    • SHA1

      d47ee0ebbdc412badfb373207aec889798790a93

    • SHA256

      6f327812dd62cebbd8ab20b58b0fd3150800199e45b87c0fc8aa569ca7c27e69

    • SHA512

      12bc07cfdb826475e66e5a1a3ff6b265baa50e840191cb027146de8d17a0001163b9678e3f7723cdfabaa7b3f93dcca81be86d9c90eb9f266ddd3819a2357101

    • SSDEEP

      24576:wc2OYBjTIRL0Q+jDWi8IO6Lls0Uh/z5TyF0Nqxa7+s4EeL4pT:wjjTIRL0Q+jDWi8IO6Lls0Uh/z5TyF0R

    Score
    1/10
    • Target

      protobuf-net.dll

    • Size

      278KB

    • MD5

      9fbb8cec55b2115c00c0ba386c37ce62

    • SHA1

      e2378a1c22c35e40fd1c3e19066de4e33b50f24a

    • SHA256

      9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026

    • SHA512

      da0211d1c9ba0a59616bc15de80a1fed62b0405cad3b11ae4220ef1488c7837634aad67cbc8b484621a2a6288ef5e424cd816a2523bdb6167abcab76f3ac1a04

    • SSDEEP

      6144:1kWu4n53u8Q5w+8yxIxM2NUpwMTRHslVz:G4n5e8kXOMkUp9GlV

    Score
    1/10
    • Target

      zxing.dll

    • Size

      420KB

    • MD5

      ce9aaa0fbc6a2bbf063b044537db1dfc

    • SHA1

      0d2f94a52de141eeeb456c350ede8e70619fa300

    • SHA256

      6314d5da3a64d191d0cbe0e73cc53fb87c4c118306549237c13eb097e930dc03

    • SHA512

      679bc2a87557990608930547384d33c625217e5b1cbcb32794305a0245ee0198fba5ac1cbb7bd1d66a6dfacd8a8bb34ae581e4d17fcc06f1d2978ced3edf3eb8

    • SSDEEP

      6144:Sg3IbR8j0pDfMYlaYcQCDbcx97ONPCP1+aApF7RaXUU5iYMVBaBF:ShFrEs4Q2bcx97ONPCP1+aAptRaXSBa

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks