Overview

overview

10

Static

static

10

S500 RAT C...e .rar

windows7-x64

10

S500 RAT C...e .rar

windows10-1703-x64

10

S500 RAT C...e .rar

windows10-2004-x64

8

S500 RAT C...e .rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    1288s
  • max time network
    1272s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-03-2024 17:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    S500 RAT Cracked + Source .rar

  • Size

    147.7MB

  • MD5

    5a39139ce5f13297aea9c5839d1447c6

  • SHA1

    90c68a4f451c2fe75c6325198693b6f52971d573

  • SHA256

    54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff

  • SHA512

    7a98ebd2ffb9dec789ddf5adf9fe2dad5a9527cb2e2c038933722012a9ead3fac98280dbf32f0ef5aaa4b6c57afe7768cdd2018e632fbe415c56925833e536b1

  • SSDEEP

    3145728:Lp+2zwG6H0uXZ2nlHp75eJmivGPIpVQNQSsnyDZ5lc:Ls2cG1FlHp7ImqO8VIGyba

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

Default

Mutex

oevtobrbpcmpahavl

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/LwwcrLg4

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1436
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1700
    • C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe
      "C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3796
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt
      1⤵
        PID:4496

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe
        Filesize

        1.1MB

        MD5

        87ca06f69c513f4fbbf67c5b4e366210

        SHA1

        7a0383ddd6f8ec2ec8624358ed0cd2ddc1a366aa

        SHA256

        42b6ecf01da5fc49e5d12229a52ddeb9901b13d62ac00a846aa748adb083f8e5

        SHA512

        286f3e8d46fe798b1e37823caea0e28811fb2e42a8e27669622a6477c353a7fe56f8e207ac9aa199df4ceac39ec9fd7bd77bdf01deac8ef448269916457d4acb

        Download Submit

      • C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt
        Filesize

        70B

        MD5

        d5b77dfb5f248f3aabc560d8300088c5

        SHA1

        bbf7bb5f78051a59e725920cea3d54d1e7473cea

        SHA256

        113a6f39d02edb55049baa38c50d26579247acb7427e7494805a91e415e21a55

        SHA512

        180e45da4adc3643d40ded2ff526af67361f77b6c61f05d3739e10e41327614a5f57485148f32d047f6d9169230053a77c9cc6fe5e7ced2d2dc285a7b8269552

        Download Submit

      • memory/3796-232-0x0000000000FF0000-0x0000000001118000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3796-234-0x00007FFC2C450000-0x00007FFC2CF12000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3796-235-0x000000001BE00000-0x000000001BE10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3796-236-0x00007FFC2C450000-0x00007FFC2CF12000-memory.dmp

        Filesize

        10.8MB

        Download