Overview

overview

10

Static

static

10

SkibidiRat...oG.dll

windows11-21h2-x64

1

SkibidiRat...Pn.exe

windows11-21h2-x64

10

SkibidiRat...LC.dll

windows11-21h2-x64

1

SkibidiRat...wp.dll

windows11-21h2-x64

1

SkibidiRat...uZ.dll

windows11-21h2-x64

1

SkibidiRat...WP.dll

windows11-21h2-x64

1

SkibidiRat...Hs.dll

windows11-21h2-x64

1

SkibidiRat...TS.dll

windows11-21h2-x64

1

SkibidiRat...xj.dll

windows11-21h2-x64

1

SkibidiRat...Ya.dll

windows11-21h2-x64

1

SkibidiRat...GA.dll

windows11-21h2-x64

1

SkibidiRat...EC.dll

windows11-21h2-x64

1

SkibidiRat...zK.dll

windows11-21h2-x64

1

SkibidiRat...2P.dll

windows11-21h2-x64

1

SkibidiRat...LS.dll

windows11-21h2-x64

1

SkibidiRat...ub.exe

windows11-21h2-x64

10

SkibidiRat...at.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1799s
  • max time network
    1797s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-10-2024 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SkibidiRat/skibidirat.exe

  • Size

    16.4MB

  • MD5

    266764b1328dfba596ec0fbf5feca39a

  • SHA1

    099c1d1750238b9e6ab0979c9cff8493c4f3c373

  • SHA256

    300838a1445ba35fcf31f65018293d8cb9a7bfe0c4859b26205c09be3a7b3b3d

  • SHA512

    f6f69498be690023553f4aabba26f27a0cdf3c68f405ffc76637eb6c933c1061bb92c40934276cb7751f6061de515e4f8ded12fef1c93a533dbbfb1c395ceea8

  • SSDEEP

    196608:EVCpPOu8P5G2eee0yMRs4vkmXaU7aIObk9fcdHJDLscmZk36zOAE2A1cZF7sL9YR:2kr0TaZ1LmZ+F1cby9YN/X

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

natural-familiar.gl.at.ply.gg:65030

127.0.0.1:3232

aarattunnel.ddns.net:3232
Attributes
  • delay

    1

  • install

    true

  • install_file

    search.exe

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Async RAT payload 3 IoCs
    rat
  • Executes dropped EXE 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SkibidiRat\skibidirat.exe
    "C:\Users\Admin\AppData\Local\Temp\SkibidiRat\skibidirat.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Users\Admin\AppData\Local\Temp\temp.exe
      "C:\Users\Admin\AppData\Local\Temp\temp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "search" /tr '"C:\Users\Admin\AppData\Roaming\search.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "search" /tr '"C:\Users\Admin\AppData\Roaming\search.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1140
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp92BA.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4548
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:440
        • C:\Users\Admin\AppData\Roaming\search.exe
          "C:\Users\Admin\AppData\Roaming\search.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4980
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1144
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1104
      • C:\Users\Admin\AppData\Local\Temp\SkibidiRat\Infected.exe
        "C:\Users\Admin\AppData\Local\Temp\SkibidiRat\Infected.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "asdioasd" /tr '"C:\Users\Admin\AppData\Roaming\asdioasd.exe"' & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "asdioasd" /tr '"C:\Users\Admin\AppData\Roaming\asdioasd.exe"'
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1364
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B22.tmp.bat""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4436
          • C:\Windows\system32\timeout.exe
            timeout 3
            3⤵
            • Delays execution with timeout.exe
            PID:3868
          • C:\Users\Admin\AppData\Roaming\asdioasd.exe
            "C:\Users\Admin\AppData\Roaming\asdioasd.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
      • C:\Users\Admin\AppData\Local\Temp\SkibidiRat\Infected.exe
        "C:\Users\Admin\AppData\Local\Temp\SkibidiRat\Infected.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
      • C:\Users\Admin\AppData\Local\Temp\SkibidiRat\Infected.exe
        "C:\Users\Admin\AppData\Local\Temp\SkibidiRat\Infected.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:920
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "huihih" /tr '"C:\Users\Admin\AppData\Roaming\huihih.exe"' & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "huihih" /tr '"C:\Users\Admin\AppData\Roaming\huihih.exe"'
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4956
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB4EA.tmp.bat""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4520
          • C:\Windows\system32\timeout.exe
            timeout 3
            3⤵
            • Delays execution with timeout.exe
            PID:4796
          • C:\Users\Admin\AppData\Roaming\huihih.exe
            "C:\Users\Admin\AppData\Roaming\huihih.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:276
      • C:\Users\Admin\AppData\Local\Temp\SkibidiRat\Infected.exe
        "C:\Users\Admin\AppData\Local\Temp\SkibidiRat\Infected.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2812

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Anarchy\skibidirat.exe_Url_2eujpca0gj1hli3mcl0kgogdbadulxpx\4.1.0.0\user.config
        Filesize

        798B

        MD5

        9be12fb415d926db357e5a00d60d9f98

        SHA1

        7aac0ae0370a42000ad5d3988589374cfd0ab9ff

        SHA256

        3c448414183edff0e916e826faf32e31b6cfad05e65a209780d94a330985e9e5

        SHA512

        a83087a964ccb74f7c48d17ae4200b99afe836109de838625f560941961772ee4f812fccde2a6f339e71975ff0806a871801a54db233055b3c38df550037ca5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Anarchy\skibidirat.exe_Url_2eujpca0gj1hli3mcl0kgogdbadulxpx\4.1.0.0\user.config
        Filesize

        939B

        MD5

        e01e6287c1462911fa4e6ec6b80b1481

        SHA1

        b93e98cb7f161c9dd2fdfad3aa10de6cdbf63e3f

        SHA256

        8bccaddc6e88b7fd7d0dabf6f51e6cf4d36f1c31655a5740b2d4e5324bcf019e

        SHA512

        6b4d2c9de9d8ea4ee5fc15a8232c9eb73abe97be7169e9b04fb17066ab167d193d0c306328d47cf6885fa173f1937ffd2379e1e2be4a29a69fab123e4e119da0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Infected.exe.log
        Filesize

        425B

        MD5

        de75c43a265d0848584ae05945570edf

        SHA1

        69f95177914f8d8b2f278a91f585a0024b8dffd3

        SHA256

        d9bdf6a2bfdd9b2b5c8593de17ade3d8d317dad331aa6ca0da7483dd06db1140

        SHA512

        365f29c693dd7aa2ade092d765a96f20bf1f7fa93bca7f3b25aeddf5700817b9fd388e8f7d9f1b781c8a876739b06ad16d61e7ed08a1c85ac4be4686a38c63bc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SkibidiRat\Infected.exe
        Filesize

        63KB

        MD5

        733c644847fd0363367c3a2cbd27327c

        SHA1

        8590e759b489da0be85403546a2f2415d80b0285

        SHA256

        e0486c3d325289c3f5ee0b6d66ad52369279cbc2f6fe1e196cb4a9c8e0c068b4

        SHA512

        12ddcf3059403dc9dd9059997762a69aafeafa81250b301ece1a806447bdfcc1ff2177063fda5d832e64003e5bbd6b83e56ac881c91a6c3e681d02ad766c4af8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SkibidiRat\Infected.exe
        Filesize

        63KB

        MD5

        cde69abf291c5ee60da502ffd39d78bf

        SHA1

        5b4263d4c9b145250e7c295eeeffb153148a8404

        SHA256

        f458978ab39f8ec4e67b7a9af1723bfe265e4aaa5e36b964dde4f4f79dae3fd4

        SHA512

        a99ef3b331a73db94c084573dcd199e202edbf4a0d5ba48d58fda901c0e7bef42f3f77bc574c6ca4979a7f71993fd3384b169cb2de2da7904e90c3f94d5133b0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\temp.exe
        Filesize

        63KB

        MD5

        4a3d7bd2084b48024bf8f459b10aa913

        SHA1

        ed47940c8e00f846e0656bd95ca14ddd8d157ba0

        SHA256

        7c15fa68e1ae83f81c98a2c616753777ccd720a8a2a1adda490e08be9369a3c8

        SHA512

        94e00110aa23f713e099039b027d01e7ea1c5521b4f9b6563cebf537eafb226a3aa840d7f3f4ec08872ec098bd57567c3fd8c3694ea62468139ae84ee5cc5b35

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp7B22.tmp.bat
        Filesize

        152B

        MD5

        84cd2b962a17ecae65ec03e991c4cc14

        SHA1

        338ed5605c96b2e3a8f777c2d17b9bd68d8cf6d6

        SHA256

        b42764608a28991d7579492bc2485abbb6e8243e41e68af92b2664f723cea52a

        SHA512

        894e67aa2d50a80e2a88fdbafb2d72d618a6967d8b10a1d9bb119959b992bf150bf30c16cf320fa9a421e0d8b3b22eca96413ff21d001bfa06507619d008d71f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp92BA.tmp.bat
        Filesize

        150B

        MD5

        e9e4c32d47148f183ad792601bf725bb

        SHA1

        c987e2fad8353184ea00a75dfa4b2b6434827629

        SHA256

        602cb6ebc803ef5540ece6e1e3220eb3ec029e6219b9c457762673204d62d745

        SHA512

        05c91639b3bbec99806f00fc0ee779848b70abc365685a8a48ff9574a4daad56101b6f8af1738849f7f6ce9dbd5bf612b6d5eea6ba4cabb2d0f3891749155e8f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpB4EA.tmp.bat
        Filesize

        150B

        MD5

        aba4e334a2498b98df333a01c2679599

        SHA1

        0447b4cf483ef156a1589dac15770ae91f58f786

        SHA256

        39a3b060c8bd27f188927f63329099917def47bd855c3b1c773f14c28f1edd2d

        SHA512

        a5d65605cd93521840e425d16d8de2b685e86407a1c73d944b32fd5f606944b76eb15ace7c33ace133114fee6b3fa1da71f7b01a91373b8f3e0d2246dee259d2

        Download Submit

      • memory/920-95-0x0000000000380000-0x0000000000396000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2412-64-0x0000000000710000-0x0000000000726000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4428-20-0x00007FFDFC230000-0x00007FFDFCCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4428-15-0x00007FFDFC230000-0x00007FFDFCCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4428-12-0x00007FFDFC230000-0x00007FFDFCCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4428-6-0x00000000009F0000-0x0000000000A06000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4428-14-0x00007FFDFC230000-0x00007FFDFCCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4976-10-0x0000020321B70000-0x0000020321CBE000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4976-29-0x00007FFDFC230000-0x00007FFDFCCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4976-32-0x00007FFDFC230000-0x00007FFDFCCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4976-36-0x0000020B26C00000-0x0000020B26D1E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4976-26-0x00007FFDFC233000-0x00007FFDFC235000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4976-9-0x0000020321850000-0x0000020321A44000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4976-8-0x00007FFDFC230000-0x00007FFDFCCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4976-25-0x00000203254C0000-0x0000020325AA8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/4976-7-0x0000020321600000-0x0000020321852000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4976-0-0x00007FFDFC233000-0x00007FFDFC235000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4976-1-0x0000020305E70000-0x0000020306ED6000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/4976-13-0x00007FFDFC230000-0x00007FFDFCCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4976-11-0x0000020307350000-0x0000020307364000-memory.dmp

        Filesize

        80KB

        Download