| File name: | SHabaB.exe |
| Full analysis: | https://app.any.run/tasks/4eb0be78-f25e-4927-9dd1-20d57253e586 |
| Verdict: | Malicious activity |
| Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
| Analysis date: | June 24, 2024, 20:52:08 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | D864BC09AA8B49E1647D7ABE8753B8AF |
| SHA1: | 20A3E678288FEF7C75224338C5DB22061A531D44 |
| SHA256: | C8088F42E3D73A18E49A6FDE9C76610F55306961893434C5B9C079384CB8C112 |
| SSDEEP: | 49152:0usIS6DWk7Yl5IMEtjlGSqiDXyhT2DZ7ZKlbjZXVLKjlywMcsfY5m42KylkP5JPJ:0uR+1l5IMEtRGd992dZKlbjZXV2Jbu/u |
MALICIOUS
Drops the executable file immediately after the start
- SHabaB.exe (PID: 3332)
- cmd.exe (PID: 3280)
- Festival.pif (PID: 1504)
Antivirus name has been found in the command line (generic signature)
- findstr.exe (PID: 2732)
- findstr.exe (PID: 680)
Create files in the Startup directory
- cmd.exe (PID: 2948)
ASYNCRAT has been detected (SURICATA)
- RegAsm.exe (PID: 1952)
ASYNCRAT has been detected (YARA)
- RegAsm.exe (PID: 1952)
ASYNCRAT has been detected (MUTEX)
- RegAsm.exe (PID: 1952)
SUSPICIOUS
Reads the Internet Settings
- SHabaB.exe (PID: 3332)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 3280)
Executing commands from ".cmd" file
- SHabaB.exe (PID: 3332)
Reads security settings of Internet Explorer
- SHabaB.exe (PID: 3332)
Get information on the list of running processes
- cmd.exe (PID: 3280)
Starts CMD.EXE for commands execution
- SHabaB.exe (PID: 3332)
- cmd.exe (PID: 3280)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 3280)
Application launched itself
- cmd.exe (PID: 3280)
Drops a file with a rarely used extension (PIF)
- cmd.exe (PID: 3280)
- Festival.pif (PID: 1504)
Executable content was dropped or overwritten
- cmd.exe (PID: 3280)
- Festival.pif (PID: 1504)
Suspicious file concatenation
- cmd.exe (PID: 2348)
The executable file from the user directory is run by the CMD process
- Festival.pif (PID: 1504)
Starts application with an unusual extension
- cmd.exe (PID: 3280)
The process creates files with name similar to system file names
- Festival.pif (PID: 1504)
Starts a Microsoft application from unusual location
- RegAsm.exe (PID: 1952)
Process drops legitimate windows executable
- Festival.pif (PID: 1504)
Connects to unusual port
- RegAsm.exe (PID: 1952)
Contacting a server suspected of hosting an CnC
- RegAsm.exe (PID: 1952)
INFO
Reads the computer name
- SHabaB.exe (PID: 3332)
- Festival.pif (PID: 1504)
- RegAsm.exe (PID: 1952)
Checks supported languages
- SHabaB.exe (PID: 3332)
- Festival.pif (PID: 1504)
- RegAsm.exe (PID: 1952)
Reads mouse settings
- Festival.pif (PID: 1504)
Create files in a temporary directory
- SHabaB.exe (PID: 3332)
- Festival.pif (PID: 1504)
Manual execution by a user
- cmd.exe (PID: 2948)
- RegAsm.exe (PID: 1952)
Reads Environment values
- RegAsm.exe (PID: 1952)
Reads the machine GUID from the registry
- RegAsm.exe (PID: 1952)
Creates files or folders in the user directory
- Festival.pif (PID: 1504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
AsyncRat
(PID) Process(1952) RegAsm.exe
C2 (1)109.199.104.52
Ports (2)777
8888
VersionAWS | 3Losh
Options
AutoRunfalse
MutexAsyncMutex_MFJ74RNM
InstallFolder%AppData%
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGva...
Server_SignatureJNFlipv0brIX5N/XjGbCuWSxzX4QUGN9AFAbcSbmpIuGm7Hu9MZ01Zemcsg7ACQrtWwPFKzZfGCo/tMsx2wUQRMGWV58Tkvwo7oCS2prRYWkq9Vyw5ON8YPQVnJ/7n/32Sl9n+Cx/8rDNDq31zTPkTAbsgaVvgErpBtoIwulyE27vHJ2VY5kr2Dxghx8G2Z+lDdLQkND+PAC/crZcCWdPIq3B2bsVEQdQ5Qz05p3hmvwwJVImEXWCbkzQofx3aYMa64Rz4Bw4TvlFeMaBvJY7ZCwfIG2l2AsjF92TvgDq1B1...
Keys
AES80bd86f44021823ec33688de45e75c14371ac729ec877297f2714ffa8da20882
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:02:24 19:20:04+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 29696 |
| InitializedDataSize: | 489984 |
| UninitializedDataSize: | 16896 |
| EntryPoint: | 0x38af |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
Total processes
51
Monitored processes
13
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 540 | findstr /V "venezuelavibratorsaccusedrewards" Vbulletin | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 680 | findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1504 | 695365\Festival.pif 695365\s | C:\Users\admin\AppData\Local\Temp\695365\Festival.pif | cmd.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 2 Modules
| |||||||||||||||
| 1952 | C:\Users\admin\AppData\Local\Temp\695365\RegAsm.exe | C:\Users\admin\AppData\Local\Temp\695365\RegAsm.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.8.3761.0 built by: NET48REL1 Modules
AsyncRat(PID) Process(1952) RegAsm.exe C2 (1)109.199.104.52 Ports (2)777 8888 VersionAWS | 3Losh Options AutoRunfalse MutexAsyncMutex_MFJ74RNM InstallFolder%AppData% Certificates Cert1MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGva... Server_SignatureJNFlipv0brIX5N/XjGbCuWSxzX4QUGN9AFAbcSbmpIuGm7Hu9MZ01Zemcsg7ACQrtWwPFKzZfGCo/tMsx2wUQRMGWV58Tkvwo7oCS2prRYWkq9Vyw5ON8YPQVnJ/7n/32Sl9n+Cx/8rDNDq31zTPkTAbsgaVvgErpBtoIwulyE27vHJ2VY5kr2Dxghx8G2Z+lDdLQkND+PAC/crZcCWdPIq3B2bsVEQdQ5Qz05p3hmvwwJVImEXWCbkzQofx3aYMa64Rz4Bw4TvlFeMaBvJY7ZCwfIG2l2AsjF92TvgDq1B1... Keys AES80bd86f44021823ec33688de45e75c14371ac729ec877297f2714ffa8da20882 Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941 | |||||||||||||||
| 2348 | cmd /c copy /b Lie + Url + Whale 695365\s | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2732 | findstr /I "wrsa.exe opssvc.exe" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2944 | cmd /c md 695365 | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2948 | cmd /k echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScan.url" & echo URL="C:\Users\admin\AppData\Local\EcoSense Analytics\EcoScan.js" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScan.url" & exit | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3128 | timeout 5 | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3192 | tasklist | C:\Windows\System32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 011
Read events
3 989
Write events
22
Delete events
0
Modification events
| (PID) Process: | (3332) SHabaB.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3332) SHabaB.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3332) SHabaB.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3332) SHabaB.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1952) RegAsm.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
3
Suspicious files
33
Text files
4
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3332 | SHabaB.exe | C:\Users\admin\AppData\Local\Temp\Documentary | binary | |
MD5:ED8D3D1F720B88FE0F083DDCF37BB497 | SHA256:17782B3DDF37222D50B29A9AA64602D2F28ADEBDFCA9AA22D8D5C5A69F00A57D | |||
| 3332 | SHabaB.exe | C:\Users\admin\AppData\Local\Temp\Istanbul | binary | |
MD5:B4B7D8D8980CA1C7CB187C6411848E88 | SHA256:B79E9CA4A92D5DBC04FBD7383274D4ED702AAE209246AE822C34AF067875DE24 | |||
| 3332 | SHabaB.exe | C:\Users\admin\AppData\Local\Temp\Supposed | binary | |
MD5:9A6C223548E07FA03CD236949F6B0337 | SHA256:946FC170CAD2284798EC9C5D99A4438EAF44C090FCC1542FC2ED9D1D34ACE642 | |||
| 3332 | SHabaB.exe | C:\Users\admin\AppData\Local\Temp\Persistent | binary | |
MD5:55EC796040A9CE2A393B526866AA4D1D | SHA256:6B6F30E9655A26CF5BB16778EB346BABD9A33E5AD4D2E7DF99E8E2FF4157FD07 | |||
| 3332 | SHabaB.exe | C:\Users\admin\AppData\Local\Temp\Secondary | binary | |
MD5:460F620A6FAC7C30E6CCD8D96D6B4B2F | SHA256:061D4D1D30F49679BCDC0FB7368F87EC12778F809DE827D634938F6A46CADE06 | |||
| 3332 | SHabaB.exe | C:\Users\admin\AppData\Local\Temp\Mine | binary | |
MD5:B0BFEA96922C42C345EA2F1842ED481A | SHA256:5CA4E7E972E185845DC55415DC5A9254BC4CE9EB42A499964B3C492A9BEB84C0 | |||
| 3332 | SHabaB.exe | C:\Users\admin\AppData\Local\Temp\Physics | binary | |
MD5:7B1F714B85B6A89496BC5C15AA5D9166 | SHA256:A4F6C101D10B584FA4D7AFA469A07094BD757BD6212D902C1782CB0636711B32 | |||
| 3332 | SHabaB.exe | C:\Users\admin\AppData\Local\Temp\Burning | binary | |
MD5:A88A22D9685F066C449BF89070C49915 | SHA256:1F060E21D0A682750ABFFD298C33F59C7EEF20049ED1744F7511442AB4852A81 | |||
| 3332 | SHabaB.exe | C:\Users\admin\AppData\Local\Temp\Workers | binary | |
MD5:FEC48F9F7D64D5409F2B411E0D1997AB | SHA256:DD8AE4F8744C0358DCFB3591102B42E0EA8FF90DB9CD3A0F1C9017E2F29F901E | |||
| 3332 | SHabaB.exe | C:\Users\admin\AppData\Local\Temp\Excuse | mp3 | |
MD5:549CC2DB9E8D020CE8F4791179F5948D | SHA256:F51410E235ADC05E1E2E7CDABA8081E9EB95C02FBDBEC376C0DFBD8385EFD511 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
3
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1372 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1952 | RegAsm.exe | 109.199.104.52:777 | — | — | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
mbeDAxHgzHlAtLrRQLvSAGSpO.mbeDAxHgzHlAtLrRQLvSAGSpO |
| unknown |
settings-win.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1952 | RegAsm.exe | Domain Observed Used for C2 Detected | REMOTE [ANY.RUN] AsyncRAT SSL certificate |
1952 | RegAsm.exe | Domain Observed Used for C2 Detected | ET MALWARE Generic AsyncRAT Style SSL Cert |
1952 | RegAsm.exe | Domain Observed Used for C2 Detected | ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) |