498df8057ccd98b0cc7b47fb53276fb2cf040d5f745c6138d4b574df620e7ce2

Analysis

max time kernel
123s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 13:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Thanks For Purchase/S-400 [EXTRACT]/S-400 RAT v3.0.exe
Size

10.7MB
MD5

a39a575da05f3dddeda3508b992f41ee
SHA1

1cfb7c32b81d22d6bded1bcfe07e6b86769df7f0
SHA256

69d72335bc69e00572e589826b8b8bcce4596df75c6f8ceae6f1c6745af3ef95
SHA512

2bae0dcbeb9f28c2f20ad5e5103eaf4d6824d4a7f33f59e57f9ac151c898089f919c6e5ef980a56d4025ee32812ce985be0b3d7799ca72f1851caffae749683a
SSDEEP

98304:/WZ2Pm4Jyohom4JyP0H0ouruYXn6bX2gso4TQqW0KRXdLbnm4Jy:/Wkv/hivDpbXxCQqWlPX

Score

10^/10

agilenet discovery

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/1280-1-0x0000000000880000-0x0000000001340000-memory.dmp	disable_win_def

Loads dropped DLL 1 IoCs

pid	Process
1280	S-400 RAT v3.0.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/1280-8-0x0000000006940000-0x0000000006B32000-memory.dmp	agile_net

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S-400 RAT v3.0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1280	S-400 RAT v3.0.exe
1280	S-400 RAT v3.0.exe

C:\Users\Admin\AppData\Local\Temp\Thanks For Purchase\S-400 [EXTRACT]\S-400 RAT v3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Thanks For Purchase\S-400 [EXTRACT]\S-400 RAT v3.0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

Filesize
136KB

MD5
9af5eb006bb0bab7f226272d82c896c7

SHA1
c2a5bb42a5f08f4dc821be374b700652262308f0

SHA256
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

SHA512
7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

Download Submit
memory/1280-8-0x0000000006940000-0x0000000006B32000-memory.dmp

Filesize
1.9MB

Download
memory/1280-16-0x0000000073CE0000-0x0000000073D69000-memory.dmp

Filesize
548KB

Download
memory/1280-3-0x0000000006390000-0x0000000006934000-memory.dmp

Filesize
5.6MB

Download
memory/1280-4-0x0000000005E80000-0x0000000005F12000-memory.dmp

Filesize
584KB

Download
memory/1280-5-0x0000000005DF0000-0x0000000005DFA000-memory.dmp

Filesize
40KB

Download
memory/1280-6-0x0000000005F20000-0x0000000005F76000-memory.dmp

Filesize
344KB

Download
memory/1280-7-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-0-0x000000007533E000-0x000000007533F000-memory.dmp

Filesize
4KB

Download
memory/1280-2-0x0000000005CE0000-0x0000000005D7C000-memory.dmp

Filesize
624KB

Download
memory/1280-17-0x0000000071A50000-0x0000000071A87000-memory.dmp

Filesize
220KB

Download
memory/1280-1-0x0000000000880000-0x0000000001340000-memory.dmp

Filesize
10.8MB

Download
memory/1280-18-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-19-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-20-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-21-0x000000007533E000-0x000000007533F000-memory.dmp

Filesize
4KB

Download
memory/1280-22-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-23-0x0000000071A50000-0x0000000071A87000-memory.dmp

Filesize
220KB

Download