asyncrat | 511a99c70f3a3aaad381b3bf626e411b3b41f7a7cf3e040068a8cdddc6224296

Resubmissions

21-02-2024 22:28

240221-2d6lfagf69 10

20-02-2024 02:07

240220-cjy14shc8z 10

19-02-2024 17:57

240219-wjrftaaa5s 10

01-02-2024 17:44

240201-wbb16addcj 10

Analysis

max time kernel
1218s
max time network
1216s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S500 CRASHED DESTROYED BY BIG DICK.zip
Size

82.3MB
MD5

5aa9ba2618a5e528af208ee5854cf2be
SHA1

3cf3eb1d8339bd5bc624ac10e797ccf556b538ca
SHA256

511a99c70f3a3aaad381b3bf626e411b3b41f7a7cf3e040068a8cdddc6224296
SHA512

f9d65db7b6ee067092ec08d4abeed3cbf40f2d7ada1a12ebe20d737aac9b1ed71895c9f9b7b1162a75733b25b14a022147cfd81970fcb9e7808eed3f9d79e087
SSDEEP

1572864:/JcbzDm3OZLuFkmVmzDmum6Whftzjat/Y34F1zBLgrNka51ML:Bcni3Gu/VmzWJ3KxYwANka51ML

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

127.0.0.1:3232

Mutex

nNx2ΔΙgg吉C伊弗Gp德WrDT

Attributes

delay
3
install
false
install_folder
.

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral3/files/0x0006000000023295-480.dat	family_asyncrat

Executes dropped EXE 2 IoCs

Processes:

S500RAT.exesEXYbABY.exe

pid	Process
1984	S500RAT.exe
2804	sEXYbABY.exe

Drops file in Program Files directory 1 IoCs

Processes:

S500RAT.exe

description	ioc	Process
File created	C:\Program Files\Win64\crash_handeler.vbs	S500RAT.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

S500RAT.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\TypedURLs	S500RAT.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

S500RAT.exe

pid	Process
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe
1984	S500RAT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

S500RAT.exe

pid	Process
1984	S500RAT.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zG.exeS500RAT.exesEXYbABY.exe

description	pid	Process
Token: SeRestorePrivilege	1016	7zG.exe
Token: 35	1016	7zG.exe
Token: SeSecurityPrivilege	1016	7zG.exe
Token: SeSecurityPrivilege	1016	7zG.exe
Token: SeDebugPrivilege	1984	S500RAT.exe
Token: SeDebugPrivilege	2804	sEXYbABY.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zG.exeS500RAT.exe

pid	Process
1016	7zG.exe
1984	S500RAT.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

S500RAT.exe

pid	Process
1984	S500RAT.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"
1⤵
PID:1372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1504

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\" -spe -an -ai#7zMap2148:148:7zEvent13780
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1016

C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1984

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe
"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\Anarchy.Forms.FormRegValueEditMultiString.resources

Filesize
67KB

MD5
beda8bbd2a72e45431cf5dd68f7c6e61

SHA1
18e28ada040e4c62e33d946046a9ccf66f839f0d

SHA256
f9f9c2a4855d61b7c7f93e9258d0306be802ef9c8c8929186deb71ee96b06d4c

SHA512
6287bb138431c33a2dd30b7c06c979ee89f691900eb407e14465d58188d04d7697ecc68eb6d479db664ea86f35b7ce6b611834028ddbd56513003c1ca28f0899

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\Anarchy.Forms.FormSendFileToMemory.resources

Filesize
66KB

MD5
fa80841e3dc9ffb31dd5d015c1030172

SHA1
aa0d9e66db2a8528edf9931fe132f18870307216

SHA256
a5b9f5ccfe8ac46a630ac1cc112d343364fa2bc4a2bec0f3911322cff174cff9

SHA512
a38cc863d3c0c8d944340cd4116f03bbdb2f1526fb40b476cd0adbd444fd1dc10790d35eaf50ea34a1083b163baa82251a5048f075651bc14e46ac4cb82897bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\Guna.UI2.dll

Filesize
416KB

MD5
6feafed894a6ac8aab3747f3ef98b73e

SHA1
b236f33f7ff3e67fb750aafa615933116fa5e1b5

SHA256
9b31269edf1f7021bf1a5862f1e55664bd4637cd64284c0887dbee7bab352401

SHA512
2d2c7286862eb593ade3209d6a148e5c14d4cedff4a9804560ede1dacfe4ff04cff395b673f27c2f0f5a369110501df5876b1b83d3421a16690883256a3d0218

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\Plugins\KNTmoSnG.AnarHs.dll

Filesize
373KB

MD5
1681e0f3311751361030ff30a957a1ed

SHA1
8f3b55e130af507549817fda37474a1391e6b8f2

SHA256
234724f14dbb999853aeb872d7e6c3ed0b3de5b105009b5c66131a2af8d0dbb4

SHA512
60690b2c1e2816a640f5763f9c20de9a39cb9735ea4a3f0bf4f477d3e184f8791e556313a7523c70ed2fb9182d520842bce70057cedd5cb89b923fd6f9067dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\ReaLTaiizor.dll

Filesize
972KB

MD5
89b78070628e55df41f91bbe1bda36da

SHA1
98f4377ffa2d847a6d5ba635b5bc4d34bf775071

SHA256
c95d46841a04204db282a5e9badec5eda4c405f82f36722b740e596d9275bee0

SHA512
77355e050d14b7238ffad629de24b9d305921d142939d79e73bda20298e95106f6dc2c328cc4ec0e7f536ef0bef4cba1c4c9670e20060f7fb6825c22f1554960

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe

Filesize
1.2MB

MD5
b88305eb1a18c2d943345bf04b5cd100

SHA1
8106ff0e1652ad9327800835dc26b1ed553f3613

SHA256
73be62257ce73c671896efa851c4dfa6f799268fd02a634daa3bd7abd74ebfd6

SHA512
88fdffc73989660c4d3b00290062dc721cddc7f968e228e8c260ea9e68b0abead4267e977c4c2e77dcbccd735bbf20083e5624ca63bee5faed0d6618a2466d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe

Filesize
1.1MB

MD5
60d1d5e9dce15e4961c1ccda1dea9490

SHA1
7b5e1000ab793da792198b8e6ea8f0cb89a7f09f

SHA256
ee7a67fd2f1802a2da32cc0cf4d514fdf57f98e656d6005bf57e107a8dbbb68d

SHA512
45820fefa18f36ff8fe8666fede3e6274c2a0916be6e9a9c9f24dbec26c30df383d3b3fcce372b568c1a9311c7adfd9e3f87112f903f4401d71635f5dc82f1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe.config

Filesize
530B

MD5
c7a4606f8f222fc96e1e6b08c093794b

SHA1
2700b3727ab01d93e75e1e12f308dcaeb1d37dba

SHA256
32d656a69b19be98ae050512a4d0f49ebe21b6f7bb9c50130b7e952ea4f5239b

SHA512
7516375b47536a51ede8079d25760e0142ac93077326b6cc033fd6cb1676b65aec7edb3f702922506f2b6b18992cd219be01e7adbf70c6d13404adceb410472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.pdb

Filesize
264KB

MD5
5a98d0d238e07f8e1ea530329fb08898

SHA1
b7b16861671027ecd27aa4282e0356058453aa59

SHA256
7908ad8f9e05645b6e7568df656c2aa4f67e8350a08aa8a1993ab67c325bb0db

SHA512
c2c3761709acf86272e2f46ac604f274c2a6feb2f9e680b1783c521347441c9ba6e50c5086bea4aad9e2550edee962dd57b6907bc29c0ec427869d28d83a60f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\Siticone.UI.dll

Filesize
479KB

MD5
8e5e6da3e45765ee907bd6b518b1807e

SHA1
a853d23fb98adf78e810f24fb8740cb7551c142f

SHA256
79399cda397342a21ea63aa3fc867d899ae76b7e73219e9c6f89659c096b2395

SHA512
7a230c8c7f6da74da396b9a13c76648ce8a0d1a74add159ad6b944577f3b50a3d625dfc446c889b28b7181f2d8e34be5d3a3f7e2650c9a8d3367b3fc0eea86fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\Usrs.p12

Filesize
1KB

MD5
e14c7402da26e4a1a1c226d546ec3aba

SHA1
3234c40fa2aec2d483d2b7ede9b901d3899d5336

SHA256
dd00f7ce28d7ef1e14f50b046ca1736f15ab08e6458d2c2cc72d078e4354ddb7

SHA512
cba4cd515319b11be1a94ffb22c4b14b933868217a1b7f6ce126568b82723769baf170f9d1f262135b8867162b8e932a9c2143603c4c9d668edc3f4622cfb5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\cGeoIp.dll

Filesize
893KB

MD5
52841e4e8a48b2ae2a789018a20296c9

SHA1
6856fbbd100d0647cb0bc9273224f6ce5dd26331

SHA256
db56bb39ede3564bd45df9ed06caed7462b33916a4ae22db55e285c04eb23e4d

SHA512
edb48aa18feea4ebebfaa08658b7576bb53d34b111cb625ef53bd5f33c9b36bcee37bd2905506b61e7764119c137a68f667b0da8aee60c6eea1fbc49492c4858

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe

Filesize
63KB

MD5
9cabbaa5f95805449b6b39dfb5363ef7

SHA1
bfc9f92dcb82de22f2cfafbc2004375a3de0e112

SHA256
6ee41c8e942eadb4053b0b0e4535366e7a3921c740aa7d607bf3f3c9f8b20df9

SHA512
9fcc2be5099620108668dd06e42c43565c7bc1e8b22e092b1dbd20fbb5145e70a24513010c089a13c1e4ed6575778c4a7ca18669b8a977109f63545a7b430471

Download Submit
memory/1984-461-0x000002499D990000-0x000002499D9A4000-memory.dmp

Filesize
80KB

Download
memory/1984-468-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-451-0x0000024999A60000-0x000002499A61E000-memory.dmp

Filesize
11.7MB

Download
memory/1984-452-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-453-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-455-0x0000024A005F0000-0x0000024A00BD8000-memory.dmp

Filesize
5.9MB

Download
memory/1984-449-0x00000249FF400000-0x00000249FF466000-memory.dmp

Filesize
408KB

Download
memory/1984-456-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-457-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-458-0x00007FFE98130000-0x00007FFE98BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1984-448-0x00000249FF2E0000-0x00000249FF3FA000-memory.dmp

Filesize
1.1MB

Download
memory/1984-460-0x0000024A00000000-0x0000024A0014E000-memory.dmp

Filesize
1.3MB

Download
memory/1984-447-0x00000249FFBD0000-0x00000249FFDC4000-memory.dmp

Filesize
2.0MB

Download
memory/1984-462-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-464-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-463-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-465-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-466-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-467-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-450-0x00000249FF1A0000-0x00000249FF1C4000-memory.dmp

Filesize
144KB

Download
memory/1984-445-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-472-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-473-0x00000249FF140000-0x00000249FF150000-memory.dmp

Filesize
64KB

Download
memory/1984-475-0x00000249A7270000-0x00000249A7370000-memory.dmp

Filesize
1024KB

Download
memory/1984-476-0x00000249A7270000-0x00000249A7370000-memory.dmp

Filesize
1024KB

Download
memory/1984-444-0x00000249FF860000-0x00000249FFAB2000-memory.dmp

Filesize
2.3MB

Download
memory/1984-478-0x00000249A7270000-0x00000249A7370000-memory.dmp

Filesize
1024KB

Download
memory/1984-479-0x00000249A7270000-0x00000249A7370000-memory.dmp

Filesize
1024KB

Download
memory/1984-442-0x00000249DFBC0000-0x00000249E0BC0000-memory.dmp

Filesize
16.0MB

Download
memory/1984-489-0x00000249A7270000-0x00000249A7370000-memory.dmp

Filesize
1024KB

Download
memory/1984-441-0x00007FFE98130000-0x00007FFE98BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1984-487-0x00000249A7270000-0x00000249A7370000-memory.dmp

Filesize
1024KB

Download
memory/2804-485-0x00007FFE98130000-0x00007FFE98BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2804-486-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/2804-484-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/2804-483-0x00007FFE98130000-0x00007FFE98BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2804-482-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download