Analysis of Kasperky Trial Reset V2
I’ve picked this sample from any.run. It appears to be a trojan tricking people who can’t afford Kasperky with a RAT, with the kasperky logo to match.
| Property | Value |
|---|---|
| File Type | Portable Executable 32 |
| File Size | 862.00 KB |
| FileTitle | Kasperky Trial Reset |
| FileDescription | Protected with AzeFuscator Extended |
| FileVersion | 1,0,0,0 |
| ProductName | Protectd with AzeFuscator Extended |
| MD5 | d56e6af4d2f9170cf312f110f3fa8511 |
| SHA1 | 1e5be78908b38b9c6e7d6593888e355ee270a6c2 |
| SHA256 | aef7cef69eb5e31673d034239aff208061fa61e8b5c8355b933e14f5818e4433 |
Loader analysis
The loader is very simple, just some misc methods along with a call to CreateProcessA, and the imports fopen, fwrite and fclose, which are used for writing the unpacked executable to the disk.
To unpack, use x32dbg and set a breakpoint at fclose to figure out what the file written is. Looking at the stack, the file is C:\\Users\\IEUser\\Rat.exe. Nice naming.
Rat.exe
| Property | Value |
|---|---|
| File Type | Portable Executable 32 .NET Assembly |
| File Info | Microsoft Visual Studio .NET |
| File Size | 45.00 KB |
| InternalName | Stub.exe |
| OriginalFilename | Stub.exe |
| FileVersion | 1.0.0.0 |
| ProductVersion | 1.0.0.0 |
| MD5 | 92AE00718AABC2B102C2917365C99B23 |
| SHA1 | 510E02707867F1B3FB2C3A422E6B38E41D30437E |
| SHA256 | 3BE8B9FB6DF8453B6E00EB7A801A6D407C28AF3E20FABEEA794A5D455C29338F |
There’s no obfuscation, so analysing this is going to be easy.
Main
The main program flow is as follows:
- Initalize settings
- Create a mutex
- Check for analysis tools
- Install self
- Set process as critical
- Connect to Command & Control server
Initialize settings
There is a tiny bit of protection for the settings, in that it decodes the AES256 key from a base64 string, and then uses that to decrypt all the rest of the settings which are encoded with base64. Hwid is generated dynamically.
| Setting | Value |
|---|---|
| Key | BLUcOMq3ucrufspIr5POSfDA96qjRUPR |
| Ports | 6606,7707,8808 |
| Hosts | 127.0.0.1 |
| Version | 0.5.7B |
| Install | false |
| MTX | AsyncMutex_6SI8OkPnk |
| Pastebin | null |
| Anti | false |
| BDOS | false |
| Group | Default |
| Hwid | DC10896CF40D0635B440 |
| Serversignature | VTrzri8Fl6zfx/omWVmRhIu+LLjs6OKqDxi6j/0QAv0/YX2SVSaMjb2u5rICDgkZTicxYTZ0eNmaoDtHLTa2uCWHUckxtZ3PsxBiyZHwLFo2tsYp2wuibpoyuLDgHJ+tK8oaC09AJhyXls4UninTwn3w4z7+AuWpZl0lgZ87khGbPDJ1sOIz7ZFRiSUP21p3866S+2eJjCVuEYjQ0PNpddeFpEGSLolfdTuAOum/Yc7dusCTwuUfJPC0sgcIosWAIOttcilVe7c51beXh8uSiZUHeNH+sN+ZjZqATV3FnlPRCSHWIobXIk5PSDfj/s6sVtBWkX3NR+ACYrBjmPTIVEjodi7X8JlPwZvNMPsRTH9JuSgaa9XsqbtRpvE5U1llA7xPimqYXIjK0L8uEtFQbwOy9wQXuB21u8ffhcPnXQo6UJDz/gWAFlrYKml9NowRS/EqZnYs4X5KsLfBbiWTyit7X6NQVsiig2qRkzizDBmTkUu44ZMxVnvZirzPTX4nKvk40m7hIfoyNDwhRDvSD3JS+wwkjIcP06bw4vJVujT//S2JlKMb/nrJNmg4m/U+U2HrXoxbyANrHgzRP8a/D557pnpqsCYpqNk0+4E/1Y+Rik9P1wKAUvnmlHL5DvChMWpnQyazyeuk2GEV2MUhPPlfGkQBBLAv35LBHBCogAY= |
| ServerCertificate | [Subject] CN=AsyncRAT Server [Issuer] CN=AsyncRAT Server [Serial Number] 008A0F28638731BC6F8AB2EC30DF3E57 [Not Before] 11/09/2021 17:14:37 [Not After] 31/12/9999 23:59:59 [Thumbprint] 919ED7E49AB16C2CE27573AAC646842333163461 |
Google-Fu
Googling is very important, try to check out what an interesting might be. The server certificate is of AsyncRAT Server, and the version is 0.5.7B. A bit of googling shows that this is simply an open source project, where the malware author forgot to configure the server address from 127.0.0.1 or was testing it.
You can view the specific version of the open source version on github.