Overview

overview

10

Static

static

10

Plugins/0g...oG.dll

windows11-21h2-x64

1

Plugins/59...uJ.dll

windows11-21h2-x64

1

Plugins/9O...Pn.exe

windows11-21h2-x64

10

Plugins/EV...LC.dll

windows11-21h2-x64

1

Plugins/FBSyChwp.dll

windows11-21h2-x64

1

Plugins/G3...uZ.dll

windows11-21h2-x64

1

Plugins/K8...WP.dll

windows11-21h2-x64

1

Plugins/KN...Hs.dll

windows11-21h2-x64

1

Plugins/PK...TS.dll

windows11-21h2-x64

1

Plugins/Recovery.dll

windows11-21h2-x64

1

Plugins/Rs...xj.dll

windows11-21h2-x64

1

Plugins/Wk...pi.dll

windows11-21h2-x64

1

Plugins/fzAgyDYa.dll

windows11-21h2-x64

1

Plugins/mM...GA.dll

windows11-21h2-x64

1

Plugins/ma...EC.dll

windows11-21h2-x64

1

Plugins/oYsKwDG.dll

windows11-21h2-x64

1

Plugins/sJ...zK.dll

windows11-21h2-x64

1

Plugins/yL...2P.dll

windows11-21h2-x64

1

Plugins/zV...LS.dll

windows11-21h2-x64

1

Stub/Stub.exe

windows11-21h2-x64

10

skibidirat.exe

windows11-21h2-x64

10

Resubmissions

16-11-2024 13:28

241116-qq11yaxejd 10

16-11-2024 13:22

241116-ql9ghs1mcj 10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-11-2024 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    skibidirat.exe

  • Size

    16.4MB

  • MD5

    266764b1328dfba596ec0fbf5feca39a

  • SHA1

    099c1d1750238b9e6ab0979c9cff8493c4f3c373

  • SHA256

    300838a1445ba35fcf31f65018293d8cb9a7bfe0c4859b26205c09be3a7b3b3d

  • SHA512

    f6f69498be690023553f4aabba26f27a0cdf3c68f405ffc76637eb6c933c1061bb92c40934276cb7751f6061de515e4f8ded12fef1c93a533dbbfb1c395ceea8

  • SSDEEP

    196608:EVCpPOu8P5G2eee0yMRs4vkmXaU7aIObk9fcdHJDLscmZk36zOAE2A1cZF7sL9YR:2kr0TaZ1LmZ+F1cby9YN/X

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

natural-familiar.gl.at.ply.gg:65030

127.0.0.1:3232
Attributes
  • delay

    1

  • install

    true

  • install_file

    search.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Async RAT payload 2 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\skibidirat.exe
    "C:\Users\Admin\AppData\Local\Temp\skibidirat.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4516
    • C:\Users\Admin\AppData\Local\Temp\temp.exe
      "C:\Users\Admin\AppData\Local\Temp\temp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "search" /tr '"C:\Users\Admin\AppData\Roaming\search.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "search" /tr '"C:\Users\Admin\AppData\Roaming\search.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2240
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB815.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4996
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:5036
        • C:\Users\Admin\AppData\Roaming\search.exe
          "C:\Users\Admin\AppData\Roaming\search.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4584
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2256
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:3648
    • C:\Users\Admin\Desktop\Infected.exe
      "C:\Users\Admin\Desktop\Infected.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2176

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Anarchy\skibidirat.exe_Url_xswob2gwsyzgejwy1kb5bvc404ua5ntv\4.1.0.0\user.config
      Filesize

      798B

      MD5

      9be12fb415d926db357e5a00d60d9f98

      SHA1

      7aac0ae0370a42000ad5d3988589374cfd0ab9ff

      SHA256

      3c448414183edff0e916e826faf32e31b6cfad05e65a209780d94a330985e9e5

      SHA512

      a83087a964ccb74f7c48d17ae4200b99afe836109de838625f560941961772ee4f812fccde2a6f339e71975ff0806a871801a54db233055b3c38df550037ca5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Anarchy\skibidirat.exe_Url_xswob2gwsyzgejwy1kb5bvc404ua5ntv\4.1.0.0\user.config
      Filesize

      918B

      MD5

      3b67bc965e46806e8ef14932330c8ab6

      SHA1

      e7cda232b7a7a348cc57f6c011c22015a707138e

      SHA256

      086a73859bc061c1a7e1d0d73b71a7654092563a5657f153c839dab87c9f76c4

      SHA512

      0fd4fcd8aa284e108ae3e588333424de76a40b5760a5e8d4b3c2e5e33b4fd29ebcc602c5fe0117999f3ddc034169332312156659d92a1c67653987dd085abf10

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
      Filesize

      14KB

      MD5

      e33503f9119952cabcb2dae4e949f96c

      SHA1

      7b258ebba71e5d3bb6c7460486de6c0bde0b09a7

      SHA256

      aac1e6c7e5aa88604226d8429415130d753164afa55916dce03ad94fbd6ed411

      SHA512

      6c91e3d642576c26a737550c95757a69e6914bdf499477497e8cd52cb06f8110a85fc94003d2e7bdfaea7095c309d5e36cff135f36cce4f9952b115144b6c898

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\538b7b71-8657-4492-8b64-8f7eddd5a3a0.down_data
      Filesize

      555KB

      MD5

      5683c0028832cae4ef93ca39c8ac5029

      SHA1

      248755e4e1db552e0b6f8651b04ca6d1b31a86fb

      SHA256

      855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

      SHA512

      aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Usrs.p12
      Filesize

      1KB

      MD5

      0a8e9d75df4dc9a5900eb20e6f5d2fe9

      SHA1

      f849df3416314682f4ce5f573269f57a29c30307

      SHA256

      f9f9e74c46ee66d49ab03e550b8f8aa014282d05e4cf9d20600736b29879db9d

      SHA512

      bf1832fc0079cedd2d1c99697272b6e68827efd6d99dc9c775c0e8ad36039ed43f37dd3b56950b9d133c4daf05a8b124a83347f1bfcc021218445726ab936dcc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\temp.exe
      Filesize

      63KB

      MD5

      4a3d7bd2084b48024bf8f459b10aa913

      SHA1

      ed47940c8e00f846e0656bd95ca14ddd8d157ba0

      SHA256

      7c15fa68e1ae83f81c98a2c616753777ccd720a8a2a1adda490e08be9369a3c8

      SHA512

      94e00110aa23f713e099039b027d01e7ea1c5521b4f9b6563cebf537eafb226a3aa840d7f3f4ec08872ec098bd57567c3fd8c3694ea62468139ae84ee5cc5b35

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpB815.tmp.bat
      Filesize

      150B

      MD5

      9dbb2f8b866ad418d96b9ae62d8103a3

      SHA1

      8ae258e23c5c7c24d2f9a54f0dbf06f455a19773

      SHA256

      d56b1fd640c06206f1697ffe09a1ad9e5e8b9d62235f830c97553140d0def975

      SHA512

      af15c80a2d2d0219dd8c9c14c8492777723e362ec0b2f492658d30beda12833d94c3cf0859f8f34c6f051edf007d1e58b2641285c259d542fa5c41c9e8159851

      Download Submit

    • C:\Users\Admin\Desktop\Infected.exe
      Filesize

      63KB

      MD5

      9e464193d70c3e9076f9a5490098cedf

      SHA1

      9286e891e51ae030fde25c7ffc8ebcba9acc82be

      SHA256

      abedd30b8eb1c37549648bc696a87293e1448ac9bb5e1e8372c98c01a33f6623

      SHA512

      26167115d133a317d754320951a99a24a1e8d0c490e6e9fb4762787e89ab4942b8d705c168a72d86ad010b5b48798f39b124d4b8a612f3c8fbc7934932365e70

      Download Submit

    • memory/2176-122-0x0000000000220000-0x0000000000236000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4516-10-0x000001CB40320000-0x000001CB4046E000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4516-31-0x000001CB42BA0000-0x000001CB42BB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4516-14-0x00007FFD92770000-0x00007FFD93232000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4516-1-0x000001CB245A0000-0x000001CB25606000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/4516-7-0x000001CB3FDB0000-0x000001CB40002000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/4516-8-0x00007FFD92770000-0x00007FFD93232000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4516-25-0x00007FFD92773000-0x00007FFD92775000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4516-26-0x00007FFD92770000-0x00007FFD93232000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4516-27-0x000001CB43990000-0x000001CB43F78000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/4516-28-0x000001CB410E0000-0x000001CB410EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4516-29-0x00007FFD92770000-0x00007FFD93232000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4516-9-0x000001CB40000000-0x000001CB401F4000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4516-32-0x000001CB44A10000-0x000001CB44C90000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/4516-42-0x000001CB43460000-0x000001CB4357E000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4516-11-0x000001CB25A80000-0x000001CB25A94000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4516-0-0x00007FFD92773000-0x00007FFD92775000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4872-13-0x00007FFD92770000-0x00007FFD93232000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4872-12-0x00007FFD92770000-0x00007FFD93232000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4872-20-0x00007FFD92770000-0x00007FFD93232000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4872-6-0x0000000000E60000-0x0000000000E76000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4872-15-0x00007FFD92770000-0x00007FFD93232000-memory.dmp

      Filesize

      10.8MB

      Download