electrorat | 568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
05-01-2021 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb.bin.exe
Size

13.1MB
MD5

a7f3e4b00b03cb8d28db7961626c757c
SHA1

02873790ac509f38bb502c7f4902d1dbe7acc915
SHA256

568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb
SHA512

edb361482c1439827a8610dec0601fc34f504606a3781fba45c0861b8e3fe552b543b56b6443b8473cc76aeec544c1ca4fb9e92fc3a5a1a7f6b064276838de48

Score

10^/10

electrorat rat stealer

Malware Config

Signatures

Detect ElectroRat cryptocurrency stealer 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1076-3-0x0000000000400000-0x000000000109A000-memory.dmp	family_electrorat
behavioral1/memory/1076-2-0x0000000000400000-0x000000000109A000-memory.dmp	family_electrorat
behavioral1/memory/1076-4-0x0000000000400000-0x000000000109A000-memory.dmp	family_electrorat

ElectroRat
A stealer family often targeting cryptocurrency users and distributed via fake cryptocurrency applications.
rat stealer electrorat

Drops startup file 1 IoCs

Processes:

568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemcl.lnk	568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb.bin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb.bin.exe

description	pid	process	target process
PID 1076 wrote to memory of 1172	1076	568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb.bin.exe	cmd.exe
PID 1076 wrote to memory of 1172	1076	568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb.bin.exe	cmd.exe
PID 1076 wrote to memory of 1172	1076	568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb.bin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb.bin.exe
"C:\Users\Admin\AppData\Local\Temp\568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb.bin.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\system32\cmd.exe
  cmd ver
  2⤵
  PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1076-3-0x0000000000400000-0x000000000109A000-memory.dmp

Filesize
12.6MB

Download
memory/1076-2-0x0000000000400000-0x000000000109A000-memory.dmp

Filesize
12.6MB

Download
memory/1076-4-0x0000000000400000-0x000000000109A000-memory.dmp

Filesize
12.6MB

Download
memory/1172-5-0x0000000000000000-mapping.dmp

Download