magicrat | f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332

General

Target

Magicratbggdhgejff1_browsingExe.exe
Size

18.5MB
MD5

b4c9b903dfd18bd67a3824b0109f955b
SHA1

a3555a77826df6c8b2886cc0f40e7d7a2bd99610
SHA256

f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332
SHA512

73ec5620b9c607c96e883d95ac6ea4033444cb74def871d16875bb90cdf6560e592c1dcb9d6e9b406cd7d238464f46f61ca5f95bf07b0367ee826971ff151aed
SSDEEP

196608:99rTfn5Mp6Z9j2ujTh4e9q77AJsv6tWKFdu9CqK:9F+p6Z3Ph4e9qoJsv6tWKFdu9C

Score

10^/10

Malware Config

Signatures

Detected MagicRAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/3584-138-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral2/memory/3584-139-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral2/memory/3584-145-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral2/memory/3584-146-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral2/memory/3584-147-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral2/memory/3584-148-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat

magicrat
MagicRAT is a remote access trojan developed and operated by the Lazarus APT group.
trojan rat magicrat

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2440	schtasks.exe
4140	schtasks.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3584	Magicratbggdhgejff1_browsingExe.exe
3584	Magicratbggdhgejff1_browsingExe.exe
3584	Magicratbggdhgejff1_browsingExe.exe
3584	Magicratbggdhgejff1_browsingExe.exe
3584	Magicratbggdhgejff1_browsingExe.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 1548	3584	Magicratbggdhgejff1_browsingExe.exe	92
PID 3584 wrote to memory of 1548	3584	Magicratbggdhgejff1_browsingExe.exe	92
PID 1548 wrote to memory of 4352	1548	cmd.exe	94
PID 1548 wrote to memory of 4352	1548	cmd.exe	94
PID 3584 wrote to memory of 3932	3584	Magicratbggdhgejff1_browsingExe.exe	96
PID 3584 wrote to memory of 3932	3584	Magicratbggdhgejff1_browsingExe.exe	96
PID 3932 wrote to memory of 2440	3932	cmd.exe	98
PID 3932 wrote to memory of 2440	3932	cmd.exe	98
PID 3584 wrote to memory of 1932	3584	Magicratbggdhgejff1_browsingExe.exe	99
PID 3584 wrote to memory of 1932	3584	Magicratbggdhgejff1_browsingExe.exe	99
PID 1932 wrote to memory of 2216	1932	cmd.exe	101
PID 1932 wrote to memory of 2216	1932	cmd.exe	101
PID 3584 wrote to memory of 4688	3584	Magicratbggdhgejff1_browsingExe.exe	102
PID 3584 wrote to memory of 4688	3584	Magicratbggdhgejff1_browsingExe.exe	102
PID 4688 wrote to memory of 3816	4688	cmd.exe	104
PID 4688 wrote to memory of 3816	4688	cmd.exe	104
PID 3584 wrote to memory of 3856	3584	Magicratbggdhgejff1_browsingExe.exe	105
PID 3584 wrote to memory of 3856	3584	Magicratbggdhgejff1_browsingExe.exe	105
PID 3856 wrote to memory of 4140	3856	cmd.exe	107
PID 3856 wrote to memory of 4140	3856	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\Magicratbggdhgejff1_browsingExe.exe
"C:\Users\Admin\AppData\Local\Temp\Magicratbggdhgejff1_browsingExe.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c bcdedit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:4352
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe" /sc daily /st 10:30:30 /ru SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe" /sc daily /st 10:30:30 /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:2440
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
    3⤵
    PID:2216
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c bcdedit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:3816
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe /sc onstart /ru SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe /sc onstart /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3584-138-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/3584-139-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/3584-145-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/3584-146-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/3584-147-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/3584-148-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads