Analysis
-
max time kernel
122s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-10-2023 11:44
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe
Resource
win10v2004-20230915-en
General
-
Target
SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe
-
Size
2.3MB
-
MD5
69b85492367598683cc28f7353148a5c
-
SHA1
e03f54756a9628a142ee2cb2a9190dd1511b5336
-
SHA256
50390617ca0f0b27057a4447414d7799996b69e615bea931a31d673394d92695
-
SHA512
658e39b982d48317dd659b5a303b89079f68ccdd1dfcf3fe373cf23ddb71a998627e1966b74e08596635e2ac9056fc372ae16b2c4816ca09fbb7adc62920da32
-
SSDEEP
49152:Eq3QscuJsVPCYc80pixEXY2QpvH8nzf9Gion08mkCSgo:E0nJsVPBcexz2QpvHqL9GiouSx
Malware Config
Signatures
-
ParallaxRat payload 18 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral1/memory/2412-4-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-5-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-7-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-6-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-8-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-12-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-11-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-10-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-9-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-13-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-14-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-16-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-17-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-15-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-18-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-19-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-20-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat behavioral1/memory/2412-22-0x0000000000300000-0x000000000032C000-memory.dmp parallax_rat -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webDAV.exe.exe DllHost.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2412 SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Rat.457.11176.23459.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- outlook_office_path
PID:2412
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:868