Malware Analysis Report

2024-10-10 10:39

Sample ID 240220-cjy14shc8z
Target S500 CRASHED DESTROYED BY BIG DICK.zip
SHA256 511a99c70f3a3aaad381b3bf626e411b3b41f7a7cf3e040068a8cdddc6224296
Tags
identifier rat agenttesla arrowrat asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

511a99c70f3a3aaad381b3bf626e411b3b41f7a7cf3e040068a8cdddc6224296

Threat Level: Known bad

The file S500 CRASHED DESTROYED BY BIG DICK.zip was found to be: Known bad.

Malicious Activity Summary

identifier rat agenttesla arrowrat asyncrat

Agenttesla family

AsyncRat

AgentTesla payload

Asyncrat family

Async RAT payload

Arrowrat family

Contains code to disable Windows Defender

Async RAT payload

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-20 02:08

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Arrowrat family

arrowrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 02:07

Reported

2024-02-20 02:29

Platform

win10v2004-20231222-en

Max time kernel

154s

Max time network

154s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

Signatures

AsyncRat

rat asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Win64\crash_handeler.vbs C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe

"C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe

"C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 filebin.net udp
DE 88.99.137.18:443 filebin.net tcp
US 8.8.8.8:53 18.137.99.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zE0E34E5C7\S500 CRASHED DESTROYED BY BIG DICK\Anarchy.Forms.FormRegValueEditMultiString.resources

MD5 beda8bbd2a72e45431cf5dd68f7c6e61
SHA1 18e28ada040e4c62e33d946046a9ccf66f839f0d
SHA256 f9f9c2a4855d61b7c7f93e9258d0306be802ef9c8c8929186deb71ee96b06d4c
SHA512 6287bb138431c33a2dd30b7c06c979ee89f691900eb407e14465d58188d04d7697ecc68eb6d479db664ea86f35b7ce6b611834028ddbd56513003c1ca28f0899

C:\Users\Admin\AppData\Local\Temp\7zE0E34E5C7\S500 CRASHED DESTROYED BY BIG DICK\Anarchy.Forms.FormSendFileToMemory.resources

MD5 fa80841e3dc9ffb31dd5d015c1030172
SHA1 aa0d9e66db2a8528edf9931fe132f18870307216
SHA256 a5b9f5ccfe8ac46a630ac1cc112d343364fa2bc4a2bec0f3911322cff174cff9
SHA512 a38cc863d3c0c8d944340cd4116f03bbdb2f1526fb40b476cd0adbd444fd1dc10790d35eaf50ea34a1083b163baa82251a5048f075651bc14e46ac4cb82897bd

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe

MD5 d26bd9b55d519ab05e621a4beba3b620
SHA1 06a4714f4663866d97ae6c2b7afe5eff666be6f5
SHA256 b23de3cdea787b3dd5221d09b94cc7003903925c48128452937542f799d045b9
SHA512 83ffc1c33d477de4b9f065721c8623ffa83a4438ed2ab2903205cc3abef9dc4047d35c0110e985785d2724eaa9b861f79b1da1837eaa1279a345ab3e32effc06

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe

MD5 930c98b103a4ed3891f4a8729eae4e91
SHA1 81cbdb10fab4de7d26295d3e3ba14947ac9ead49
SHA256 d282b73f251e49b299b4ba3b2af9460d02f2a9420f5b9023b2eb1fa00da02ae8
SHA512 2301c9826b88c1b00b533fdbf185804c19c5d3180b9b0dcd44fa73c517e85aeb8b798805ade6376bcb492c7483252c52948e29313ff66b02358f93ae1b914501

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe.config

MD5 c7a4606f8f222fc96e1e6b08c093794b
SHA1 2700b3727ab01d93e75e1e12f308dcaeb1d37dba
SHA256 32d656a69b19be98ae050512a4d0f49ebe21b6f7bb9c50130b7e952ea4f5239b
SHA512 7516375b47536a51ede8079d25760e0142ac93077326b6cc033fd6cb1676b65aec7edb3f702922506f2b6b18992cd219be01e7adbf70c6d13404adceb410472b

memory/2952-441-0x00007FFDC1200000-0x00007FFDC1CC1000-memory.dmp

memory/2952-442-0x0000023B0EA60000-0x0000023B0FA60000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\cGeoIp.dll

MD5 6d6e172e7965d1250a4a6f8a0513aa9f
SHA1 b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256 d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA512 35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

memory/2952-444-0x0000023B48470000-0x0000023B486C2000-memory.dmp

memory/2952-445-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\Guna.UI2.dll

MD5 4544872c197f9ad471bb18c648b004b0
SHA1 280a1ec5ab002d1ab15279b3fb0de8dd3c4aa482
SHA256 bf4aec4b6a094c21008b4788be9ca7072fcff0800cf1c098828222769b311e7b
SHA512 aaf6a5a357976f6a83672009d3648f4dd7303bdd91eeca6b2d1ce35f59cb65563daa70505162f862bb7ce322d9645dbabd49e9a8f8a9e22d4d169f3d59ac8aca

memory/2952-447-0x0000023B487E0000-0x0000023B489D4000-memory.dmp

memory/2952-448-0x0000023B48210000-0x0000023B4832A000-memory.dmp

memory/2952-449-0x0000023B48330000-0x0000023B48396000-memory.dmp

memory/2952-450-0x0000023B483B0000-0x0000023B483D4000-memory.dmp

memory/2952-451-0x0000023B489E0000-0x0000023B4959E000-memory.dmp

memory/2952-452-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\ReaLTaiizor.dll

MD5 dc1bd8b5f4f2b49fc7da72aca1ae33da
SHA1 0bf43f74e5a957178adb259aecf34cdeed24b8b1
SHA256 d7a5a7ff25de9ce7709282b0ca714f942b29ea1b9ca222e9b2599f97676de9cd
SHA512 d19a828bbd048f52a17f804d55faf8365fda0b2b4afdfb55cbe3e85093245325fd0affa31decd848d23fce9cfd7b92b2e0c9e2849aef2dda2b74fdaef4635b46

memory/2952-454-0x0000023B55F80000-0x0000023B56568000-memory.dmp

memory/2952-455-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

memory/2952-456-0x00007FFDC1200000-0x00007FFDC1CC1000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\Siticone.UI.dll

MD5 750c58af2e56b6addecffcf152520ab8
SHA1 14995e7f1d12498606d9d209d78d55fe6fd87802
SHA256 27c56a28cbde094157206da1bfcd7a395111ab97b8a5ff600b11c2175dcefb26
SHA512 2179790e23f61b3dfea828457f8609279c70b1e071cddc73b1dbda02caa664e0aae2553fc24a4956f9e89c477d66b1a704bde26fa23bc6db26c19e18db00abb5

memory/2952-458-0x0000023B55AE0000-0x0000023B55C2E000-memory.dmp

memory/2952-459-0x0000023B4C510000-0x0000023B4C524000-memory.dmp

memory/2952-460-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

memory/2952-462-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

memory/2952-461-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

memory/2952-463-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.pdb

MD5 5a98d0d238e07f8e1ea530329fb08898
SHA1 b7b16861671027ecd27aa4282e0356058453aa59
SHA256 7908ad8f9e05645b6e7568df656c2aa4f67e8350a08aa8a1993ab67c325bb0db
SHA512 c2c3761709acf86272e2f46ac604f274c2a6feb2f9e680b1783c521347441c9ba6e50c5086bea4aad9e2550edee962dd57b6907bc29c0ec427869d28d83a60f0

memory/2952-465-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

memory/2952-466-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe

MD5 9cabbaa5f95805449b6b39dfb5363ef7
SHA1 bfc9f92dcb82de22f2cfafbc2004375a3de0e112
SHA256 6ee41c8e942eadb4053b0b0e4535366e7a3921c740aa7d607bf3f3c9f8b20df9
SHA512 9fcc2be5099620108668dd06e42c43565c7bc1e8b22e092b1dbd20fbb5145e70a24513010c089a13c1e4ed6575778c4a7ca18669b8a977109f63545a7b430471

memory/4780-469-0x0000000000410000-0x0000000000426000-memory.dmp

memory/4780-470-0x00007FFDC1200000-0x00007FFDC1CC1000-memory.dmp

memory/4780-472-0x0000000000AF0000-0x0000000000B00000-memory.dmp

memory/2952-471-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\Usrs.p12

MD5 e14c7402da26e4a1a1c226d546ec3aba
SHA1 3234c40fa2aec2d483d2b7ede9b901d3899d5336
SHA256 dd00f7ce28d7ef1e14f50b046ca1736f15ab08e6458d2c2cc72d078e4354ddb7
SHA512 cba4cd515319b11be1a94ffb22c4b14b933868217a1b7f6ce126568b82723769baf170f9d1f262135b8867162b8e932a9c2143603c4c9d668edc3f4622cfb5b2

memory/2952-476-0x0000023B460D0000-0x0000023B460E0000-memory.dmp

memory/4780-477-0x00007FFDC1200000-0x00007FFDC1CC1000-memory.dmp

memory/2952-489-0x0000023B56670000-0x0000023B56770000-memory.dmp

memory/2952-490-0x0000023B56670000-0x0000023B56770000-memory.dmp