General
-
Target
S500 RAT Cracked + Source .rar
-
Size
147.7MB
-
Sample
240330-q7frbsge84
-
MD5
5a39139ce5f13297aea9c5839d1447c6
-
SHA1
90c68a4f451c2fe75c6325198693b6f52971d573
-
SHA256
54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff
-
SHA512
7a98ebd2ffb9dec789ddf5adf9fe2dad5a9527cb2e2c038933722012a9ead3fac98280dbf32f0ef5aaa4b6c57afe7768cdd2018e632fbe415c56925833e536b1
-
SSDEEP
3145728:Lp+2zwG6H0uXZ2nlHp75eJmivGPIpVQNQSsnyDZ5lc:Ls2cG1FlHp7ImqO8VIGyba
Static task
static1
Behavioral task
behavioral1
Sample
S500 RAT Cracked + Source .rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
S500 RAT Cracked + Source .rar
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
S500 RAT Cracked + Source .rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
S500 RAT Cracked + Source .rar
Resource
win11-20240221-en
Malware Config
Extracted
asyncrat
Venom Pwn3rzs' Edtition v6.0.1
Default
oevtobrbpcmpahavl
-
delay
1
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/LwwcrLg4
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
arrowrat
identifier
IP:PORT
mutex
Targets
-
-
Target
S500 RAT Cracked + Source .rar
-
Size
147.7MB
-
MD5
5a39139ce5f13297aea9c5839d1447c6
-
SHA1
90c68a4f451c2fe75c6325198693b6f52971d573
-
SHA256
54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff
-
SHA512
7a98ebd2ffb9dec789ddf5adf9fe2dad5a9527cb2e2c038933722012a9ead3fac98280dbf32f0ef5aaa4b6c57afe7768cdd2018e632fbe415c56925833e536b1
-
SSDEEP
3145728:Lp+2zwG6H0uXZ2nlHp75eJmivGPIpVQNQSsnyDZ5lc:Ls2cG1FlHp7ImqO8VIGyba
-
StormKitty payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-