Overview

overview

10

Static

static

Proof of Payment.vbs

windows7_x64

10

Proof of Payment.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    301588fba4248762939456459ec024c90cf789fba3f7499e7f4844cf6cbbac71

  • Size

    426KB

  • Sample

    220621-vxtbwsgdal

  • MD5

    392223746090c232b617d1b9707671e8

  • SHA1

    ec4d46e7fb1202f95d9b52e3dc8623126805210d

  • SHA256

    301588fba4248762939456459ec024c90cf789fba3f7499e7f4844cf6cbbac71

  • SHA512

    d244c687b8437bcaee225f0292f3cd32725dc65991bd17b4df61198425e4c8565d3679d30d6ede0adfc9f82f6805716eabf755d1aafe08b3737cc47a8e8c6bc7

Score
10/10
rattypersistencerattrojan

Malware Config

Targets

    • Target

      Proof of Payment.vbs

    • Size

      668KB

    • MD5

      e0380dd0e4e3ab2c148d4b3d5c413330

    • SHA1

      2cc8a39d88547cfee0aa08fd8b2e5e850eabb06d

    • SHA256

      d5e01d358207375eb1662a3827891e1aab81085b163effa7a2056eb65b7b6bf9

    • SHA512

      1e3fd11448a9c90230159ab9e86ebf5e9485b9df162a1031eba5599484255a2e1403ecd4a8687265e79433e4064b364cadbcb043779a8325c037953c2ede7e3d

    Score
    10/10
    rattypersistencerattrojan

    • Ratty

      Ratty is an open source Java Remote Access Tool.

      trojanratratty

    • Ratty Rat Payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks