Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Rebel/Bin/...or.exe

windows11-21h2-x64

5

Rebel/Bin/Rebel.dll

windows11-21h2-x64

1

Rebel/Fast...ox.dll

windows11-21h2-x64

1

Rebel/Rebe...ed.exe

windows11-21h2-x64

10

Rebel/Syst...om.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    11s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/09/2024, 22:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rebel/RebelCracked.exe

  • Size

    154KB

  • MD5

    76b3ef39824d31fde7ca5d27ae8700fa

  • SHA1

    c03994080a4f1038d4a624499acedcf0fea737f3

  • SHA256

    439096c4077b5a1ad2e2ad232fdaeeece05a72e6a69c16d11a624b665dc428f3

  • SHA512

    3246594017abe3c4e208ce270388feecf23ec3032de73bb380aaebd17030263ff00e8270b2ab901efa993c2e896cd28a091b2b9a49986c98cd974826641f240d

  • SSDEEP

    3072:0OovaAxpeK2dWUi60uu0JpZmTKv03lqUmPT01oSVeT5iu9d7:0OcpeK8lucpUCKlqUP/M

Score
10/10
asyncratstormkittydefaultcredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 7 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
          "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4980
          • C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
            "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
            5⤵
              PID:2228
              • C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
                "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
                6⤵
                  PID:548
                  • C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
                    "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
                    7⤵
                      PID:4960
                      • C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe
                        "C:\Users\Admin\AppData\Local\Temp\Rebel\RebelCracked.exe"
                        8⤵
                          PID:2040
                        • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                          "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
                          8⤵
                            PID:1768
                        • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                          "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
                          7⤵
                            PID:1920
                        • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                          "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
                          6⤵
                            PID:824
                        • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                          "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
                          5⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:364
                      • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4188
                    • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                      "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1588
                  • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
                    2⤵
                    • Executes dropped EXE
                    • Drops desktop.ini file(s)
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:400

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\0d7fe3d5ec71cd87af3831504aa17ab5\Admin@NDKRNPGL_en-US\Browsers\Firefox\Bookmarks.txt
                  Filesize

                  105B

                  MD5

                  2e9d094dda5cdc3ce6519f75943a4ff4

                  SHA1

                  5d989b4ac8b699781681fe75ed9ef98191a5096c

                  SHA256

                  c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                  SHA512

                  d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log
                  Filesize

                  654B

                  MD5

                  2cbbb74b7da1f720b48ed31085cbd5b8

                  SHA1

                  79caa9a3ea8abe1b9c4326c3633da64a5f724964

                  SHA256

                  e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                  SHA512

                  ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
                  Filesize

                  175KB

                  MD5

                  59d9f02a7c904f21a175944dbeed3b13

                  SHA1

                  aa718c47c9cf57d16b7d3f4d8743a739fc05123b

                  SHA256

                  b8d40aee28967859278556d66452e861691ce10f41a4ace97fe87265294f6524

                  SHA512

                  1ecb75b6e334d3d0695ac50561eaa1ef9e87e8aeb370e053ded4d17dfff825e4b3d33b17a3728b5bda9008a7b85b33aa48a79821d286c99ae2c767a76908b36e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\places.raw
                  Filesize

                  5.0MB

                  MD5

                  a3aee2c31a5d54a2923872a9889cdab0

                  SHA1

                  13b0fed6bd9907b3c7475b5b4f22d55167223f38

                  SHA256

                  cd13db3ff5c3bfc897a2031c3f2a913097364242bce6fb5b68b6190659a2acf5

                  SHA512

                  794bcd4ef5a3568b9abd1aa406cf430d500f14f9d55b0e0592a33cb677135e8ff31ad821d806af99f7d8d39912a7cc5eb55328c34841a66bf67a01028c892566

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpDAA1.tmp.dat
                  Filesize

                  114KB

                  MD5

                  b90a70d7e385373c8edebf0c3ff549f0

                  SHA1

                  cdf4fb34071fc79c144fbd3a4d4a58c703701841

                  SHA256

                  51e234c09098ea32dd1422ce8304a043ace2962e24528988df220cc4f5358191

                  SHA512

                  b7c2f2a46d624148629e306b7298b4ed6eb5742c79458f84c5d70dd8e9159fd72996556988156bf6649d00e90b98cd9311ae037733a14abd7adb3eed8327ac3e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpDAA3.tmp.dat
                  Filesize

                  160KB

                  MD5

                  f310cf1ff562ae14449e0167a3e1fe46

                  SHA1

                  85c58afa9049467031c6c2b17f5c12ca73bb2788

                  SHA256

                  e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

                  SHA512

                  1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpDAB5.tmp.dat
                  Filesize

                  112KB

                  MD5

                  87210e9e528a4ddb09c6b671937c79c6

                  SHA1

                  3c75314714619f5b55e25769e0985d497f0062f2

                  SHA256

                  eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

                  SHA512

                  f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpE36C.tmp.dat
                  Filesize

                  40KB

                  MD5

                  a182561a527f929489bf4b8f74f65cd7

                  SHA1

                  8cd6866594759711ea1836e86a5b7ca64ee8911f

                  SHA256

                  42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                  SHA512

                  9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpE372.tmp.dat
                  Filesize

                  46KB

                  MD5

                  14ccc9293153deacbb9a20ee8f6ff1b7

                  SHA1

                  46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

                  SHA256

                  3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

                  SHA512

                  916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpE373.tmp.dat
                  Filesize

                  20KB

                  MD5

                  22be08f683bcc01d7a9799bbd2c10041

                  SHA1

                  2efb6041cf3d6e67970135e592569c76fc4c41de

                  SHA256

                  451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

                  SHA512

                  0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpE374.tmp.dat
                  Filesize

                  116KB

                  MD5

                  4e2922249bf476fb3067795f2fa5e794

                  SHA1

                  d2db6b2759d9e650ae031eb62247d457ccaa57d2

                  SHA256

                  c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

                  SHA512

                  8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpE384.tmp.dat
                  Filesize

                  96KB

                  MD5

                  40f3eb83cc9d4cdb0ad82bd5ff2fb824

                  SHA1

                  d6582ba879235049134fa9a351ca8f0f785d8835

                  SHA256

                  cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

                  SHA512

                  cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

                  Download Submit

                • memory/400-185-0x000000007490E000-0x000000007490F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/400-26-0x0000000004F10000-0x0000000004F76000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/400-19-0x0000000000080000-0x00000000000B2000-memory.dmp

                  Filesize

                  200KB

                  Download

                • memory/400-17-0x000000007490E000-0x000000007490F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/548-205-0x000000001B3A0000-0x000000001B553000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1036-18-0x00007FFB86040000-0x00007FFB86B02000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1036-0-0x00007FFB86043000-0x00007FFB86045000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1036-15-0x000000001B620000-0x000000001B7D3000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1036-2-0x00007FFB86040000-0x00007FFB86B02000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1036-1-0x0000000000A00000-0x0000000000A2C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/1280-23-0x00007FFB86040000-0x00007FFB86B02000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1280-22-0x000000001B6D0000-0x000000001B883000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/1280-16-0x00007FFB86040000-0x00007FFB86B02000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1576-25-0x000000001B5A0000-0x000000001B753000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/2228-98-0x000000001B4F0000-0x000000001B6A3000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/4960-335-0x000000001B1B0000-0x000000001B363000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/4980-28-0x000000001BA00000-0x000000001BBB3000-memory.dmp

                  Filesize

                  1.7MB

                  Download