Malware Analysis Report

2025-05-05 22:25

Sample ID 231014-xfajkagc96
Target Chinese-Rat.rar
SHA256 7f16bbad32fe87a9dbaf60d0958428192dc9b118df58e7d941ade00a56c8951a
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7f16bbad32fe87a9dbaf60d0958428192dc9b118df58e7d941ade00a56c8951a

Threat Level: Shows suspicious behavior

The file Chinese-Rat.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-14 18:48

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 18:47

Reported

2023-10-14 19:20

Platform

win7-20230831-en

Max time kernel

1758s

Max time network

1632s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Chinese-Rat.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2364 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2364 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2740 wrote to memory of 2672 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2740 wrote to memory of 2672 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2740 wrote to memory of 2672 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Chinese-Rat.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Chinese-Rat.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Chinese-Rat.rar"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

memory/2672-29-0x000000013FA10000-0x000000013FB08000-memory.dmp

memory/2672-30-0x000007FEFAA90000-0x000007FEFAAC4000-memory.dmp

memory/2672-32-0x000007FEFB750000-0x000007FEFB768000-memory.dmp

memory/2672-31-0x000007FEF5E70000-0x000007FEF6124000-memory.dmp

memory/2672-33-0x000007FEFA7B0000-0x000007FEFA7C7000-memory.dmp

memory/2672-34-0x000007FEFA790000-0x000007FEFA7A1000-memory.dmp

memory/2672-36-0x000007FEFA750000-0x000007FEFA761000-memory.dmp

memory/2672-35-0x000007FEFA770000-0x000007FEFA787000-memory.dmp

memory/2672-37-0x000007FEF7650000-0x000007FEF766D000-memory.dmp

memory/2672-38-0x000007FEF73C0000-0x000007FEF73D1000-memory.dmp

memory/2672-39-0x000007FEF5C70000-0x000007FEF5E70000-memory.dmp

memory/2672-40-0x000007FEF4BC0000-0x000007FEF5C6B000-memory.dmp

memory/2672-41-0x000007FEF7380000-0x000007FEF73BF000-memory.dmp

memory/2672-42-0x000007FEF6E40000-0x000007FEF6E61000-memory.dmp

memory/2672-43-0x000007FEF6E20000-0x000007FEF6E38000-memory.dmp

memory/2672-44-0x000007FEF6E00000-0x000007FEF6E11000-memory.dmp

memory/2672-45-0x000007FEF6DE0000-0x000007FEF6DF1000-memory.dmp

memory/2672-47-0x000007FEF6850000-0x000007FEF686B000-memory.dmp

memory/2672-46-0x000007FEF6DC0000-0x000007FEF6DD1000-memory.dmp

memory/2672-48-0x000007FEF6830000-0x000007FEF6841000-memory.dmp

memory/2672-50-0x000007FEF67E0000-0x000007FEF6810000-memory.dmp

memory/2672-49-0x000007FEF6810000-0x000007FEF6828000-memory.dmp

memory/2672-51-0x000007FEF4B50000-0x000007FEF4BB7000-memory.dmp

memory/2672-52-0x000007FEF49E0000-0x000007FEF4A4F000-memory.dmp

memory/2672-53-0x000007FEF4B30000-0x000007FEF4B41000-memory.dmp

memory/2672-54-0x000007FEF4980000-0x000007FEF49D6000-memory.dmp

memory/2672-55-0x000007FEF4950000-0x000007FEF4978000-memory.dmp

memory/2672-56-0x000007FEF4920000-0x000007FEF4944000-memory.dmp

memory/2672-57-0x000007FEF4900000-0x000007FEF4917000-memory.dmp

memory/2672-58-0x000007FEF48D0000-0x000007FEF48F3000-memory.dmp

memory/2672-59-0x000007FEF48B0000-0x000007FEF48C1000-memory.dmp

memory/2672-60-0x000007FEF4890000-0x000007FEF48A2000-memory.dmp

memory/2672-61-0x000007FEF47C0000-0x000007FEF47E1000-memory.dmp

memory/2672-62-0x000007FEF47A0000-0x000007FEF47B3000-memory.dmp

memory/2672-63-0x000007FEF4780000-0x000007FEF4792000-memory.dmp

memory/2672-64-0x000007FEF4640000-0x000007FEF477B000-memory.dmp

memory/2672-65-0x000007FEF3FE0000-0x000007FEF400C000-memory.dmp

memory/2672-66-0x000007FEF39D0000-0x000007FEF3B82000-memory.dmp

memory/2672-67-0x000007FEF3870000-0x000007FEF38CC000-memory.dmp

memory/2672-68-0x000007FEF3770000-0x000007FEF3781000-memory.dmp

memory/2672-69-0x000007FEF36A0000-0x000007FEF3737000-memory.dmp

memory/2672-70-0x000007FEF3680000-0x000007FEF3692000-memory.dmp

memory/2672-71-0x000007FEF3440000-0x000007FEF3671000-memory.dmp

memory/2672-72-0x000007FEF3170000-0x000007FEF3282000-memory.dmp

memory/2672-73-0x000007FEF3130000-0x000007FEF3165000-memory.dmp

memory/2672-74-0x000007FEF3100000-0x000007FEF3125000-memory.dmp

memory/2672-75-0x000007FEF30E0000-0x000007FEF30F1000-memory.dmp

memory/2672-76-0x000007FEF3070000-0x000007FEF30D1000-memory.dmp

memory/2672-77-0x000007FEF3050000-0x000007FEF3061000-memory.dmp

memory/2672-78-0x000007FEF3030000-0x000007FEF3042000-memory.dmp

memory/2672-79-0x000007FEF3010000-0x000007FEF3023000-memory.dmp

memory/2672-80-0x000007FEF2F70000-0x000007FEF300F000-memory.dmp

memory/2672-81-0x000007FEF2F50000-0x000007FEF2F61000-memory.dmp

memory/2672-82-0x000007FEF2E40000-0x000007FEF2F42000-memory.dmp

memory/2672-83-0x000007FEF2E20000-0x000007FEF2E31000-memory.dmp

memory/2672-84-0x000007FEF2E00000-0x000007FEF2E11000-memory.dmp

memory/2672-85-0x000007FEF2DE0000-0x000007FEF2DF1000-memory.dmp

memory/2672-86-0x000007FEF2DC0000-0x000007FEF2DD2000-memory.dmp

memory/2672-87-0x000007FEF2DA0000-0x000007FEF2DB8000-memory.dmp

memory/2672-88-0x000007FEF2D80000-0x000007FEF2D96000-memory.dmp

memory/2672-89-0x000007FEF2D50000-0x000007FEF2D79000-memory.dmp

memory/2672-90-0x000007FEF2D30000-0x000007FEF2D42000-memory.dmp

memory/2672-91-0x000007FEF2D10000-0x000007FEF2D21000-memory.dmp

memory/2672-92-0x000007FEF2CF0000-0x000007FEF2D01000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 18:47

Reported

2023-10-14 19:05

Platform

win10v2004-20230915-en

Max time kernel

840s

Max time network

819s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Chinese-Rat.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Chinese-Rat.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\" -spe -an -ai#7zMap32025:102:7zEvent19306

C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Keygen.exe

"C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Keygen.exe"

C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Chinese-Rat\銘羊天下.exe

"C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Chinese-Rat\銘羊天下.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Keygen.exe

MD5 ce7aff41b893a07cb610151d4f732002
SHA1 d5655dcc3b292b12980fabe71bf9653b68ce17c4
SHA256 0b182848cc93a7b90e26a0d1846a1d4639f0116ea13bbe90c5c7b239895fb18f
SHA512 c07009e1f9bae9cbc8a4309ca49eb171b0f2633459c1eb59734927cbeadd4af49fae639051cdf5f55c9813bd12c139c55a2c6e890f2b1fd97173914d3b320943

C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Keygen.exe

MD5 ce7aff41b893a07cb610151d4f732002
SHA1 d5655dcc3b292b12980fabe71bf9653b68ce17c4
SHA256 0b182848cc93a7b90e26a0d1846a1d4639f0116ea13bbe90c5c7b239895fb18f
SHA512 c07009e1f9bae9cbc8a4309ca49eb171b0f2633459c1eb59734927cbeadd4af49fae639051cdf5f55c9813bd12c139c55a2c6e890f2b1fd97173914d3b320943

C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Chinese-Rat\銘羊天下.exe

MD5 d2be20f8eeb82b07a494e9441828d571
SHA1 ef55c6a21edaf3148e45586fb728296ddee7185f
SHA256 5ab666279fcb89b95fa27f7a1bf108998656515312f38e674b9ae720a428af52
SHA512 3059a02702856958280f13b5c61ad3c70b436303a05268f53507cadcd4f5601e73ea2239e016f846f9fa00b1e1842af748ea55d6e54beace1c315da80402a40b

C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Chinese-Rat\銘羊天下.exe

MD5 d2be20f8eeb82b07a494e9441828d571
SHA1 ef55c6a21edaf3148e45586fb728296ddee7185f
SHA256 5ab666279fcb89b95fa27f7a1bf108998656515312f38e674b9ae720a428af52
SHA512 3059a02702856958280f13b5c61ad3c70b436303a05268f53507cadcd4f5601e73ea2239e016f846f9fa00b1e1842af748ea55d6e54beace1c315da80402a40b

memory/912-1010-0x00007FFDADCF0000-0x00007FFDAE7B1000-memory.dmp

memory/912-1011-0x0000013645C80000-0x000001364874C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Chinese-Rat\Windows.UI.Immersive.dll

MD5 e8174cee7f6fbd3996ce8904d39d5337
SHA1 6fbc5c1fdd135861109e1961109ea0070479b5f9
SHA256 ce12c2e789e9e576af4a7fc267b015e4adc3f6377c37ac3842307b4d62ae78f5
SHA512 e6ef23ab687381ea25f4291823d06faf32a6c9929c20b3a59ab668e1db9b01afd872c99ba9124d6d161c811eecb7ddbbf056d180df898b5ed32a74f2e7fa0551

memory/912-1013-0x00000136641E0000-0x000001366567A000-memory.dmp

memory/912-1014-0x00007FFDADCF0000-0x00007FFDAE7B1000-memory.dmp

memory/912-1016-0x0000013648AF0000-0x0000013648AF1000-memory.dmp

memory/912-1015-0x0000013662E80000-0x0000013662E90000-memory.dmp

memory/912-1017-0x0000013662E90000-0x0000013663388000-memory.dmp