Malware Analysis Report

2024-10-10 10:39

Sample ID 240221-2d6lfagf69
Target S500 CRASHED DESTROYED BY BIG DICK.zip
SHA256 511a99c70f3a3aaad381b3bf626e411b3b41f7a7cf3e040068a8cdddc6224296
Tags
asyncrat rat identifier agenttesla arrowrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

511a99c70f3a3aaad381b3bf626e411b3b41f7a7cf3e040068a8cdddc6224296

Threat Level: Known bad

The file S500 CRASHED DESTROYED BY BIG DICK.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat rat identifier agenttesla arrowrat

Arrowrat family

AsyncRat

Contains code to disable Windows Defender

AgentTesla payload

Agenttesla family

Async RAT payload

Asyncrat family

Async RAT payload

Executes dropped EXE

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-21 22:30

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Arrowrat family

arrowrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-21 22:28

Reported

2024-02-22 17:28

Platform

win10-20240221-en

Max time kernel

129s

Max time network

143s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-21 22:28

Reported

2024-02-22 17:29

Platform

win10v2004-20240221-en

Max time kernel

162s

Max time network

162s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe

"C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe

"C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
N/A 127.0.0.1:3232 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zE4A236368\S500 CRASHED DESTROYED BY BIG DICK\Anarchy.Forms.FormRegValueEditMultiString.resources

MD5 beda8bbd2a72e45431cf5dd68f7c6e61
SHA1 18e28ada040e4c62e33d946046a9ccf66f839f0d
SHA256 f9f9c2a4855d61b7c7f93e9258d0306be802ef9c8c8929186deb71ee96b06d4c
SHA512 6287bb138431c33a2dd30b7c06c979ee89f691900eb407e14465d58188d04d7697ecc68eb6d479db664ea86f35b7ce6b611834028ddbd56513003c1ca28f0899

C:\Users\Admin\AppData\Local\Temp\7zE4A236368\S500 CRASHED DESTROYED BY BIG DICK\Anarchy.Forms.FormSendFileToMemory.resources

MD5 fa80841e3dc9ffb31dd5d015c1030172
SHA1 aa0d9e66db2a8528edf9931fe132f18870307216
SHA256 a5b9f5ccfe8ac46a630ac1cc112d343364fa2bc4a2bec0f3911322cff174cff9
SHA512 a38cc863d3c0c8d944340cd4116f03bbdb2f1526fb40b476cd0adbd444fd1dc10790d35eaf50ea34a1083b163baa82251a5048f075651bc14e46ac4cb82897bd

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe

MD5 1e2c9d00fcfb200b42110da79ff9d735
SHA1 8addde7986ea7b4c68aabdc5b8afd62dffee9bf3
SHA256 97fbc16237ecf4a1b02f6557e574178f950d35d6f5e6f37e14608a18f9e52817
SHA512 4d2af3353bf3b6d2bd75ef8947bd82c4d102d2848dec658112946f69add9c6cfa5d6a911e35c26884020fd3da682b741b4d58c1eb09a6eff77e465f765f3d555

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe

MD5 7e9bb5491037c8c8717dd83a748cae68
SHA1 e84b434fb88032f68d079257fdddfe5e08c26c87
SHA256 ba488e2f67a3234b185878d7cc1f2cf450f3b91f084ede5f5ccad3fda8ac4e59
SHA512 3578728fc2f2929a95b320f81019ffacdc96aa061d07f340a45a32773e92f67fed380a7336b66c2e38f69dd72a06658f5f793269ac7f8634926694d4a77401b2

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\S500RAT.exe.config

MD5 c7a4606f8f222fc96e1e6b08c093794b
SHA1 2700b3727ab01d93e75e1e12f308dcaeb1d37dba
SHA256 32d656a69b19be98ae050512a4d0f49ebe21b6f7bb9c50130b7e952ea4f5239b
SHA512 7516375b47536a51ede8079d25760e0142ac93077326b6cc033fd6cb1676b65aec7edb3f702922506f2b6b18992cd219be01e7adbf70c6d13404adceb410472b

memory/2808-441-0x00007FFDEEE10000-0x00007FFDEF8D1000-memory.dmp

memory/2808-442-0x00000272B6220000-0x00000272B7220000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\cGeoIp.dll

MD5 ae0da7323d7b1fdff5eeab7f54511a7c
SHA1 d102b6e612c04e4a33c60fd906cd408ae7840c1d
SHA256 6da4fdcf3a75f6ed1525d106b217adfed6910be458e78775d0269ac7160d011d
SHA512 b8bc5d94595308b410b26bb28d87de436ad978fcd467061a15601e4e12f193a343b067783f745aa0d632794905dead0d67413b8e4123cce8d43ffbd5155e2df5

memory/2808-444-0x00000272EFC50000-0x00000272EFEA2000-memory.dmp

memory/2808-445-0x00000272D3670000-0x00000272D3680000-memory.dmp

memory/2808-447-0x00000272EFFC0000-0x00000272F01B4000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\Guna.UI2.dll

MD5 1ccd3249a32f6019e828df3ed85ef8ea
SHA1 05622520b62b33579f7ec7b4282e8fceead2e1cf
SHA256 7784861a5c142680cf1517182608a5e42d5b2ad298048b92dd3a92f27b272e79
SHA512 d66fbc3b8d36bab264a51bfa948778cfc3d9ad63d472ad72a49cd7102f0c49c1197b49012652281854cc8d7b26db4200b9f43dd51dcfdf31a50e47383733f4e8

memory/2808-448-0x00000272EF9F0000-0x00000272EFB0A000-memory.dmp

memory/2808-449-0x00000272D3670000-0x00000272D3680000-memory.dmp

memory/2808-451-0x00000272EFB70000-0x00000272EFB94000-memory.dmp

memory/2808-450-0x00000272EFB10000-0x00000272EFB76000-memory.dmp

memory/2808-452-0x00000272F01C0000-0x00000272F0D7E000-memory.dmp

memory/2808-453-0x00000272D3670000-0x00000272D3680000-memory.dmp

memory/2808-454-0x00000272D3670000-0x00000272D3680000-memory.dmp

memory/2808-455-0x00007FFDEEE10000-0x00007FFDEF8D1000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\ReaLTaiizor.dll

MD5 8ad964aec42e06380f54764b4b9a46c1
SHA1 04e0e8386bf9af46690ad63cc21bb825411550ff
SHA256 2648e5669ff4161b7f4670384eaec58270fa326c0292dce97ece3be7ddcdd191
SHA512 63e8213e553d26e61f3520eddf3829532fa3c09c5ca92ba4d3c445dfeac8caa496416170a4a3715b60ecb3e08f4d0588550d5a2dd71ef291c9f4ad92001a1cde

memory/2808-457-0x00000272FD750000-0x00000272FDD38000-memory.dmp

memory/2808-458-0x00000272D3670000-0x00000272D3680000-memory.dmp

memory/2808-459-0x00000272D3670000-0x00000272D3680000-memory.dmp

memory/2808-460-0x00000272D3670000-0x00000272D3680000-memory.dmp

memory/2808-461-0x00000272D3670000-0x00000272D3680000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\Usrs.p12

MD5 e14c7402da26e4a1a1c226d546ec3aba
SHA1 3234c40fa2aec2d483d2b7ede9b901d3899d5336
SHA256 dd00f7ce28d7ef1e14f50b046ca1736f15ab08e6458d2c2cc72d078e4354ddb7
SHA512 cba4cd515319b11be1a94ffb22c4b14b933868217a1b7f6ce126568b82723769baf170f9d1f262135b8867162b8e932a9c2143603c4c9d668edc3f4622cfb5b2

memory/2808-466-0x00000272D3670000-0x00000272D3680000-memory.dmp

memory/2808-465-0x00000272D3670000-0x00000272D3680000-memory.dmp

memory/2808-467-0x00000272D3670000-0x00000272D3680000-memory.dmp

memory/2808-469-0x00000272D3670000-0x00000272D3680000-memory.dmp

C:\Users\Admin\Desktop\S500 CRASHED DESTROYED BY BIG DICK\sEXYbABY.exe

MD5 9cabbaa5f95805449b6b39dfb5363ef7
SHA1 bfc9f92dcb82de22f2cfafbc2004375a3de0e112
SHA256 6ee41c8e942eadb4053b0b0e4535366e7a3921c740aa7d607bf3f3c9f8b20df9
SHA512 9fcc2be5099620108668dd06e42c43565c7bc1e8b22e092b1dbd20fbb5145e70a24513010c089a13c1e4ed6575778c4a7ca18669b8a977109f63545a7b430471

memory/440-472-0x0000000000030000-0x0000000000046000-memory.dmp

memory/440-473-0x00007FFDEEE10000-0x00007FFDEF8D1000-memory.dmp

memory/440-474-0x000000001AD50000-0x000000001AD60000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-21 22:28

Reported

2024-02-22 17:28

Platform

win11-20240221-en

Max time kernel

145s

Max time network

151s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-21 22:28

Reported

2024-02-22 17:28

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"

Network

N/A

Files

N/A