asyncrat | 511a99c70f3a3aaad381b3bf626e411b3b41f7a7cf3e040068a8cdddc6224296

Resubmissions

21-02-2024 22:28

240221-2d6lfagf69 10

20-02-2024 02:07

240220-cjy14shc8z 10

19-02-2024 17:57

240219-wjrftaaa5s 10

01-02-2024 17:44

240201-wbb16addcj 10

Analysis

max time kernel
162s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S500 CRASHED DESTROYED BY BIG DICK.zip
Size

82.3MB
MD5

5aa9ba2618a5e528af208ee5854cf2be
SHA1

3cf3eb1d8339bd5bc624ac10e797ccf556b538ca
SHA256

511a99c70f3a3aaad381b3bf626e411b3b41f7a7cf3e040068a8cdddc6224296
SHA512

f9d65db7b6ee067092ec08d4abeed3cbf40f2d7ada1a12ebe20d737aac9b1ed71895c9f9b7b1162a75733b25b14a022147cfd81970fcb9e7808eed3f9d79e087
SSDEEP

1572864:/JcbzDm3OZLuFkmVmzDmum6Whftzjat/Y34F1zBLgrNka51ML:Bcni3Gu/VmzWJ3KxYwANka51ML

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

127.0.0.1:3232

Mutex

nNx2ΔΙgg吉C伊弗Gp德WrDT

Attributes

delay
3
install
false
install_folder
.

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral3/files/0x00060000000231fc-470.dat	family_asyncrat

Executes dropped EXE 2 IoCs

Processes:

S500RAT.exesEXYbABY.exe

pid	Process
2808	S500RAT.exe
440	sEXYbABY.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

S500RAT.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\TypedURLs	S500RAT.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

S500RAT.exe

pid	Process
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe
2808	S500RAT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
4772	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exeS500RAT.exesEXYbABY.exe

description	pid	Process
Token: SeRestorePrivilege	4772	7zFM.exe
Token: 35	4772	7zFM.exe
Token: SeSecurityPrivilege	4772	7zFM.exe
Token: SeDebugPrivilege	2808	S500RAT.exe
Token: SeDebugPrivilege	440	sEXYbABY.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exeS500RAT.exe

pid	Process
4772	7zFM.exe
4772	7zFM.exe
2808	S500RAT.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

S500RAT.exe

pid	Process
2808	S500RAT.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"
1⤵
PID:2008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3276

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4772

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe
"C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4444

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe
"C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE4A236368\S500 CRASHED DESTROYED BY BIG DICK\Anarchy.Forms.FormRegValueEditMultiString.resources

Filesize
67KB

MD5
beda8bbd2a72e45431cf5dd68f7c6e61

SHA1
18e28ada040e4c62e33d946046a9ccf66f839f0d

SHA256
f9f9c2a4855d61b7c7f93e9258d0306be802ef9c8c8929186deb71ee96b06d4c

SHA512
6287bb138431c33a2dd30b7c06c979ee89f691900eb407e14465d58188d04d7697ecc68eb6d479db664ea86f35b7ce6b611834028ddbd56513003c1ca28f0899

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4A236368\S500 CRASHED DESTROYED BY BIG DICK\Anarchy.Forms.FormSendFileToMemory.resources

Filesize
66KB

MD5
fa80841e3dc9ffb31dd5d015c1030172

SHA1
aa0d9e66db2a8528edf9931fe132f18870307216

SHA256
a5b9f5ccfe8ac46a630ac1cc112d343364fa2bc4a2bec0f3911322cff174cff9

SHA512
a38cc863d3c0c8d944340cd4116f03bbdb2f1526fb40b476cd0adbd444fd1dc10790d35eaf50ea34a1083b163baa82251a5048f075651bc14e46ac4cb82897bd

Download Submit
C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\Guna.UI2.dll

Filesize
1.1MB

MD5
1ccd3249a32f6019e828df3ed85ef8ea

SHA1
05622520b62b33579f7ec7b4282e8fceead2e1cf

SHA256
7784861a5c142680cf1517182608a5e42d5b2ad298048b92dd3a92f27b272e79

SHA512
d66fbc3b8d36bab264a51bfa948778cfc3d9ad63d472ad72a49cd7102f0c49c1197b49012652281854cc8d7b26db4200b9f43dd51dcfdf31a50e47383733f4e8

Download Submit
C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\ReaLTaiizor.dll

Filesize
3.2MB

MD5
8ad964aec42e06380f54764b4b9a46c1

SHA1
04e0e8386bf9af46690ad63cc21bb825411550ff

SHA256
2648e5669ff4161b7f4670384eaec58270fa326c0292dce97ece3be7ddcdd191

SHA512
63e8213e553d26e61f3520eddf3829532fa3c09c5ca92ba4d3c445dfeac8caa496416170a4a3715b60ecb3e08f4d0588550d5a2dd71ef291c9f4ad92001a1cde

Download Submit
C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe

Filesize
4.0MB

MD5
1e2c9d00fcfb200b42110da79ff9d735

SHA1
8addde7986ea7b4c68aabdc5b8afd62dffee9bf3

SHA256
97fbc16237ecf4a1b02f6557e574178f950d35d6f5e6f37e14608a18f9e52817

SHA512
4d2af3353bf3b6d2bd75ef8947bd82c4d102d2848dec658112946f69add9c6cfa5d6a911e35c26884020fd3da682b741b4d58c1eb09a6eff77e465f765f3d555

Download Submit
C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe

Filesize
3.5MB

MD5
7e9bb5491037c8c8717dd83a748cae68

SHA1
e84b434fb88032f68d079257fdddfe5e08c26c87

SHA256
ba488e2f67a3234b185878d7cc1f2cf450f3b91f084ede5f5ccad3fda8ac4e59

SHA512
3578728fc2f2929a95b320f81019ffacdc96aa061d07f340a45a32773e92f67fed380a7336b66c2e38f69dd72a06658f5f793269ac7f8634926694d4a77401b2

Download Submit
C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe.config

Filesize
530B

MD5
c7a4606f8f222fc96e1e6b08c093794b

SHA1
2700b3727ab01d93e75e1e12f308dcaeb1d37dba

SHA256
32d656a69b19be98ae050512a4d0f49ebe21b6f7bb9c50130b7e952ea4f5239b

SHA512
7516375b47536a51ede8079d25760e0142ac93077326b6cc033fd6cb1676b65aec7edb3f702922506f2b6b18992cd219be01e7adbf70c6d13404adceb410472b

Download Submit
C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\Usrs.p12

Filesize
1KB

MD5
e14c7402da26e4a1a1c226d546ec3aba

SHA1
3234c40fa2aec2d483d2b7ede9b901d3899d5336

SHA256
dd00f7ce28d7ef1e14f50b046ca1736f15ab08e6458d2c2cc72d078e4354ddb7

SHA512
cba4cd515319b11be1a94ffb22c4b14b933868217a1b7f6ce126568b82723769baf170f9d1f262135b8867162b8e932a9c2143603c4c9d668edc3f4622cfb5b2

Download Submit
C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\cGeoIp.dll

Filesize
102KB

MD5
ae0da7323d7b1fdff5eeab7f54511a7c

SHA1
d102b6e612c04e4a33c60fd906cd408ae7840c1d

SHA256
6da4fdcf3a75f6ed1525d106b217adfed6910be458e78775d0269ac7160d011d

SHA512
b8bc5d94595308b410b26bb28d87de436ad978fcd467061a15601e4e12f193a343b067783f745aa0d632794905dead0d67413b8e4123cce8d43ffbd5155e2df5

Download Submit
C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe

Filesize
63KB

MD5
9cabbaa5f95805449b6b39dfb5363ef7

SHA1
bfc9f92dcb82de22f2cfafbc2004375a3de0e112

SHA256
6ee41c8e942eadb4053b0b0e4535366e7a3921c740aa7d607bf3f3c9f8b20df9

SHA512
9fcc2be5099620108668dd06e42c43565c7bc1e8b22e092b1dbd20fbb5145e70a24513010c089a13c1e4ed6575778c4a7ca18669b8a977109f63545a7b430471

Download Submit
memory/440-472-0x0000000000030000-0x0000000000046000-memory.dmp

Filesize
88KB

Download
memory/440-473-0x00007FFDEEE10000-0x00007FFDEF8D1000-memory.dmp

Filesize
10.8MB

Download
memory/440-474-0x000000001AD50000-0x000000001AD60000-memory.dmp

Filesize
64KB

Download
memory/2808-452-0x00000272F01C0000-0x00000272F0D7E000-memory.dmp

Filesize
11.7MB

Download
memory/2808-460-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-450-0x00000272EFB10000-0x00000272EFB76000-memory.dmp

Filesize
408KB

Download
memory/2808-449-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-453-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-454-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-455-0x00007FFDEEE10000-0x00007FFDEF8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2808-448-0x00000272EF9F0000-0x00000272EFB0A000-memory.dmp

Filesize
1.1MB

Download
memory/2808-457-0x00000272FD750000-0x00000272FDD38000-memory.dmp

Filesize
5.9MB

Download
memory/2808-458-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-459-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-451-0x00000272EFB70000-0x00000272EFB94000-memory.dmp

Filesize
144KB

Download
memory/2808-461-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-447-0x00000272EFFC0000-0x00000272F01B4000-memory.dmp

Filesize
2.0MB

Download
memory/2808-466-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-465-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-467-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-469-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-445-0x00000272D3670000-0x00000272D3680000-memory.dmp

Filesize
64KB

Download
memory/2808-444-0x00000272EFC50000-0x00000272EFEA2000-memory.dmp

Filesize
2.3MB

Download
memory/2808-442-0x00000272B6220000-0x00000272B7220000-memory.dmp

Filesize
16.0MB

Download
memory/2808-441-0x00007FFDEEE10000-0x00007FFDEF8D1000-memory.dmp

Filesize
10.8MB

Download