Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

rbot.exe

windows7-x64

10

rbot.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2024, 06:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rbot.exe

  • Size

    74KB

  • MD5

    d3e25ac19ab764cb87aef7ce67421529

  • SHA1

    57b7b67bb36dfc5fd0cc7dc2475acb89b6038a51

  • SHA256

    9ea1287b00a370153de5ee5ba19bf568a9b55b63ac4da4ac8ec755eb8c8e3ca5

  • SHA512

    394dce23cebdfaf889c643848093d4b21eb1cbcd108560a39241d796891ef4015b31e86f6f6b9525bd5f6f1856e55d3d7384ae5f07188ce5326d4e5077c56d20

  • SSDEEP

    1536:LUk0cxVGlCBiPMVye9VdQuDI6H1bf/Q52+QdQzc+LVclN:LURcxVMWiPMVye9VdQsH1bfI5sQXBY

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

luiijmnzfd

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/RdDXA3cD

aes.plain
1
yzyVmiF0BgccxOEiNchvKCMRk2SOCnog

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rbot.exe
    "C:\Users\Admin\AppData\Local\Temp\rbot.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1716

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    pastebin.com
    rbot.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.3.235
    pastebin.com
    IN A
    104.20.4.235
    pastebin.com
    IN A
    172.67.19.24
  • flag-us
    GET
    https://pastebin.com/raw/RdDXA3cD
    rbot.exe
    Remote address:
    104.20.3.235:443
    Request
    GET /raw/RdDXA3cD HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 23 Dec 2024 06:04:20 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: max-age=1800, must-revalidate
    pragma: no-cache
    expires: Sat, 26 Jul 1997 05:00:00 GMT
    CF-Cache-Status: MISS
    Last-Modified: Mon, 23 Dec 2024 06:04:20 GMT
    Server: cloudflare
    CF-RAY: 8f6627549b76f664-LHR
  • flag-us
    DNS
    eager-paper-24642.pktriot.net
    rbot.exe
    Remote address:
    8.8.8.8:53
    Request
    eager-paper-24642.pktriot.net
    IN A
    Response
    eager-paper-24642.pktriot.net
    IN CNAME
    australia-32312.packetriot.net
    australia-32312.packetriot.net
    IN A
    139.180.171.110
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    235.3.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.3.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    110.171.180.139.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    110.171.180.139.in-addr.arpa
    IN PTR
    Response
    110.171.180.139.in-addr.arpa
    IN PTR
    139180171110vultrusercontentcom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.12.20.2.in-addr.arpa
    IN PTR
    Response
    107.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 104.20.3.235:443
    https://pastebin.com/raw/RdDXA3cD
    tls, http
    rbot.exe
    772 B
     4.0kB
     9
    10

    HTTP Request

    GET https://pastebin.com/raw/RdDXA3cD

    HTTP Response

    200
  • 139.180.171.110:22104
    eager-paper-24642.pktriot.net
    tls
    rbot.exe
    8.7kB
     6.3kB
     67
    78
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    pastebin.com
    dns
    rbot.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.3.235
    104.20.4.235
    172.67.19.24

  • 8.8.8.8:53
    eager-paper-24642.pktriot.net
    dns
    rbot.exe
    75 B
     132 B
     1
    1

    DNS Request

    eager-paper-24642.pktriot.net

    DNS Response

    139.180.171.110

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    235.3.20.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    235.3.20.104.in-addr.arpa

  • 8.8.8.8:53
    110.171.180.139.in-addr.arpa
    dns
    74 B
     124 B
     1
    1

    DNS Request

    110.171.180.139.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    107.12.20.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    107.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    22.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    22.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1716-0-0x00007FFFFEA73000-0x00007FFFFEA75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1716-1-0x00000000005F0000-0x0000000000608000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1716-3-0x00007FFFFEA70000-0x00007FFFFF531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1716-4-0x00007FFFFEA70000-0x00007FFFFF531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1716-7-0x00007FFFFEA70000-0x00007FFFFF531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1716-8-0x00007FFFFEA70000-0x00007FFFFF531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1716-10-0x00007FFFFEA73000-0x00007FFFFEA75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1716-11-0x00007FFFFEA70000-0x00007FFFFF531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1716-12-0x00007FFFFEA70000-0x00007FFFFF531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1716-13-0x00007FFFFEA70000-0x00007FFFFF531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1716-14-0x00007FFFFEA70000-0x00007FFFFF531000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.