samorat | fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46 | Triage

Submit
Reports

Overview

overview

Static

static

fac551f8ff...46.exe

windows7_x64

fac551f8ff...46.exe

windows10_x64

Resubmissions

13-01-2024 10:35

240113-mmndwshch9 10

09-07-2020 11:15

200709-954vxj2xke 10

Sharing

General

Target

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
Size

1.3MB
Sample

200709-954vxj2xke
MD5

2042fdc08ed48544a98307aec4610251
SHA1

50a6c64a62347c6c87abb65d04803ff23832a7e8
SHA256

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
SHA512

b102fc8105b0a7cca5c33711e83af818dd9c37ff377d252edec69cbb05052387013426bbce38650c0360fb8c94f4796a8232b93f4c5d438caf031a50c4cae591

Score

10^/10

samorat persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe

Resource

win7

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe

Resource

win10v200430

trojan samorat persistence

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
- Size
  
  1.3MB
- MD5
  
  2042fdc08ed48544a98307aec4610251
- SHA1
  
  50a6c64a62347c6c87abb65d04803ff23832a7e8
- SHA256
  
  fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
- SHA512
  
  b102fc8105b0a7cca5c33711e83af818dd9c37ff377d252edec69cbb05052387013426bbce38650c0360fb8c94f4796a8232b93f4c5d438caf031a50c4cae591
Score

10^/10

trojan samorat persistence
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- SamoRAT
  SamoRAT is a .NET malware used to receive and execute different commands on the infected system.
  trojan samorat
- ServiceHost packer
  Detects ServiceHost packer used for .NET malware
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies service
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

trojansamoratpersistence

© 2018-2024

Terms | Privacy