download: | CrystalCrypter2.zip |
Full analysis: | https://app.any.run/tasks/432d738b-565d-4a02-a7ec-673c9818fe01 |
Verdict: | Malicious activity |
Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
Analysis date: | June 27, 2022, 09:56:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | C6A2E7778294128F204654BE18FC4BB1 |
SHA1: | B4483E311FB3510964FEFF512D4E86B41B4DFDDD |
SHA256: | 79929C389CE10E81B34FD52F257C076BEE6847756174D2110BFA9B3E05A654D2 |
SSDEEP: | 98304:6fK/fCcjKoZeupHwsL8cD+mSWr4o5iGuUPz8V3id0qpK:6fKnFVwRml4o96MpK |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | CrystalCrypter2/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2022:06:27 11:37:09 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3172 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\CrystalCrypter2.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
3556 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
1612 | "C:\Users\admin\Desktop\CrystalCrypter2\CrystalCrypter2.exe" | C:\Users\admin\Desktop\CrystalCrypter2\CrystalCrypter2.exe | — | Explorer.EXE |
User: admin Company: CrystalCrypter Integrity Level: MEDIUM Description: CrystalCrypter Exit code: 3221226540 Version: 2,0,0,0 | ||||
3388 | "C:\Users\admin\Desktop\CrystalCrypter2\CrystalCrypter2.exe" | C:\Users\admin\Desktop\CrystalCrypter2\CrystalCrypter2.exe | Explorer.EXE | |
User: admin Company: CrystalCrypter Integrity Level: HIGH Description: CrystalCrypter Exit code: 0 Version: 2,0,0,0 | ||||
3692 | cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Unable to find VCCRuntime140.dll','Error','OK','Error')" | C:\Windows\system32\cmd.exe | — | CrystalCrypter2.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3472 | cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit | C:\Windows\system32\cmd.exe | — | CrystalCrypter2.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1788 | powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Unable to find VCCRuntime140.dll','Error','OK','Error')" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
4064 | powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
992 | cmd /c start "" "C:\Users\admin\AppData\Local\Temp\Defender Smart Screen.exe" | C:\Windows\system32\cmd.exe | — | CrystalCrypter2.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2348 | cmd /c start "" "C:\Users\admin\AppData\Local\Temp\12.exe" | C:\Windows\system32\cmd.exe | — | CrystalCrypter2.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3388 | CrystalCrypter2.exe | C:\Users\admin\AppData\Local\Temp\12.exe | executable | |
MD5:758207CE12F9ED1930876EC50E551657 | SHA256:63F4D2F0AD5C565C06CCC5A11F8ED963025F5907BB45D777CA848CFFBD7BC054 | |||
3172 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3172.44475\CrystalCrypter2\CrystalCrypter2.exe | executable | |
MD5:4DD849100E2E48A8A480571A2A2CF9D3 | SHA256:D50DAEFD779E07741CBE903112BFA47A233BE67A45DDB398CCB379862B7ADBB2 | |||
3388 | CrystalCrypter2.exe | C:\Users\admin\AppData\Local\Temp\win64obf.exe | executable | |
MD5:BD77B32341914D04CD62C48370661256 | SHA256:B3BDDCC083EEF5B73C8001063826B21198BDEC69B6A3ACB2479CF6E311F62E64 | |||
3388 | CrystalCrypter2.exe | C:\Users\admin\AppData\Local\Temp\Defender Smart Screen.exe | executable | |
MD5:E1486780EF6518B239D78B6F967F6002 | SHA256:17115FDCD55FBE2CC1D8544941F47EC42E3344825BE3DE0953CA7602E0832B0C | |||
1844 | 12.exe | C:\Users\admin\AppData\Roaming\NPFLPTyNFPPNRNLywHNR1F8BFBFF000506E3C4BA364779\791F8BFBFF000506E3C4BA3647NPFLPTyNFPPNRNLywHNR\Files\writtenkeep.jpg | image | |
MD5:C9E435DD053132F1B0886FDD30241C18 | SHA256:90CA8B5F357E40422EEC2010AC1DCEE39B3FE71D1D1FD44610345E5DA8810B9F | |||
1844 | 12.exe | C:\Users\admin\AppData\Roaming\NPFLPTyNFPPNRNLywHNR1F8BFBFF000506E3C4BA364779\791F8BFBFF000506E3C4BA3647NPFLPTyNFPPNRNLywHNR\Files\littleface.jpg | image | |
MD5:9D8C12A8A88B57411A8942A876D659AF | SHA256:8CFA1E2ED75287785137653D93FC0D98F08C4CAABDFB52440229E5BB91A9783F | |||
1844 | 12.exe | C:\Users\admin\AppData\Roaming\NPFLPTyNFPPNRNLywHNR1F8BFBFF000506E3C4BA364779\791F8BFBFF000506E3C4BA3647NPFLPTyNFPPNRNLywHNR\Processes.txt | text | |
MD5:656246D1D66A71977DDC4143DAB056F4 | SHA256:95876CAF0F5AD4F57454F12E39EE863FEB9EBAE6BA85A95F822209328C79E85E | |||
1844 | 12.exe | C:\Users\admin\AppData\Roaming\NPFLPTyNFPPNRNLywHNR1F8BFBFF000506E3C4BA364779\791F8BFBFF000506E3C4BA3647NPFLPTyNFPPNRNLywHNR\Programms.txt | text | |
MD5:D38F0F6C2FA09557C0C72B76F9053B32 | SHA256:6B3EC615803EC8389C37ED1778950ACE10C9C22A82E59BA057AC41FDDD050BD9 | |||
4064 | powershell.exe | C:\Users\admin\AppData\Local\Temp\vscera5y.v5q.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
1844 | 12.exe | C:\Users\admin\AppData\Roaming\NPFLPTyNFPPNRNLywHNR1F8BFBFF000506E3C4BA364779\791F8BFBFF000506E3C4BA3647NPFLPTyNFPPNRNLywHNR\Files\pmdev.jpg | image | |
MD5:E4FFA4F2C5D917A5A3830033AD677395 | SHA256:0AC261F276B08A1E7F7E49C26251831FB560523E61414386B4B5CFB76FFE0293 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1844 | 12.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | xml | 441 b | shared |
1844 | 12.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | xml | 441 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1844 | 12.exe | 3.220.57.224:443 | api.ipify.org | — | US | malicious |
1844 | 12.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
2168 | win32dll.exe | 156.96.151.132:60671 | ggho5t.duckdns.org | XNS Technology Group Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |
api.ipify.org |
| shared |
ip-api.com |
| shared |
ggho5t.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1844 | 12.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
1844 | 12.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
1844 | 12.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
1844 | 12.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2168 | win32dll.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 14 |