beb837e8832f27dacfd3719cf617310f1b9e74badbfca8705ecafce3ed5e6a33

Analysis

max time kernel
149s
max time network
90s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
24-12-2023 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

888 RAT 1.0.9.exe
Size

22.0MB
MD5

32004e656640aad1672f0ee98434bc3c
SHA1

d665b4e03e9d75f87079d65cff791147b7ee6e4f
SHA256

beb837e8832f27dacfd3719cf617310f1b9e74badbfca8705ecafce3ed5e6a33
SHA512

1cd55008d6352469a937f168d6d72cfd202d81c24a6be4c6256a4c73c576577aefe8da912c5cb09e12f12a58e46f99381fa9834b58bc356e0c530908b236785f
SSDEEP

393216:TufwMCigvYFChWbRT5OV7lAUl+9o0okMLeDuq3+QAk5ubWWBwBvJ5wV:aXZgvYYhQDOVPl+9l2+OZuhQwR/

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\aut6297.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\skin.dll	acprotect

Loads dropped DLL 3 IoCs

Processes:

888 RAT 1.0.9.exe

pid process

1576 888 RAT 1.0.9.exe
1576 888 RAT 1.0.9.exe
1576 888 RAT 1.0.9.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\aut6297.tmp	upx
C:\Users\Admin\AppData\Local\Temp\skin.dll	upx
behavioral3/memory/1576-38-0x0000000010000000-0x00000000100BB000-memory.dmp	upx
behavioral3/memory/1576-121-0x0000000010000000-0x00000000100BB000-memory.dmp	upx

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral3/memory/1576-43-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-45-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-48-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-51-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-54-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-60-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-76-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-81-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-105-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-100-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-88-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe
behavioral3/memory/1576-67-0x00000000008E0000-0x0000000001EE7000-memory.dmp	autoit_exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

888 RAT 1.0.9.exe

pid process

1576 888 RAT 1.0.9.exe
1576 888 RAT 1.0.9.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

888 RAT 1.0.9.exe

pid process

1576 888 RAT 1.0.9.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

888 RAT 1.0.9.exe

pid	process
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

888 RAT 1.0.9.exe

pid	process
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe
1576	888 RAT 1.0.9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

888 RAT 1.0.9.exe

pid process

1576 888 RAT 1.0.9.exe

C:\Users\Admin\AppData\Local\Temp\888 RAT 1.0.9.exe
"C:\Users\Admin\AppData\Local\Temp\888 RAT 1.0.9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1576

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut6297.tmp
Filesize
91KB

MD5
333ae812917581948371b4694450ce7a

SHA1
540465d2d791e4747c7986245d1ee8cbfd6c9c99

SHA256
aa9836576619ee2104fdc7516e6a2bbe20d76eed05f59c250d0a320da98e031d

SHA512
89ff4d10ae37fdc02fb9bdf72e9684a07e52bf92bc95b1eb1ed2473c51a68e912e7e95247c34ef09563478a58eaf2affe142e5e44ec068bb5917851f5a71a407

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.888ww.msstyles
Filesize
50KB

MD5
9a99dbf568451d2bbb455f39cee11482

SHA1
1fe0b669e77cce0a0554d834e2e5ceff9b6a8992

SHA256
c4f10850dc769b5c27ca9d27675ce5c6a4420fb0b9ae17183be1bae54b2a085f

SHA512
41dc3b528dd88f5ce5d5bf0b4f1154ab3d777ce65dba21491ab65bb1a19515a406e15a902e51ee7eb750b908d68ebda3ee468a0c55447a393b7a845ca293f769

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.888ww.msstyles
Filesize
65KB

MD5
12bd5cd724825a8577d24f4bb2ff53c7

SHA1
88feac4489258e94c022fd9772b657fc332bce71

SHA256
70d3f7ae1c0b001c5e98645ff11f4fcb4d2acce3d82c79d4b370a1be8e02d2c5

SHA512
64dff551bc407b79e1ee352d7edef1ea3c8e5c3880754fbb2531591b269e32db5f847d9de46f3eaf0d5050a9c974df0c4b6deb584e3dc562389afc5b43671ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.dll
Filesize
69KB

MD5
64ebd68a26010f3171917eedcf45ec8d

SHA1
dcabdf1c1945793cb9a23ec21771c8b223ba4a28

SHA256
ed246ac2782948b73966d5374c1abea98ecb39062012588513e0e2a9048aff1e

SHA512
7e04b2c5b601d3ff0800dc9201fe7772f4389b9acd317cf014d43a5d0d821354be87ffcd5b9aae36eef9919e1c5fc5ea0ad55af9c69e52fa318a931d05211beb

Download Submit
memory/1576-38-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download
memory/1576-43-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-44-0x00000000759A0000-0x0000000075A1C000-memory.dmp

Filesize
496KB

Download
memory/1576-47-0x00000000759A0000-0x0000000075A1C000-memory.dmp

Filesize
496KB

Download
memory/1576-46-0x00000000759A0000-0x0000000075A1C000-memory.dmp

Filesize
496KB

Download
memory/1576-45-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-50-0x0000000075A80000-0x0000000075AA5000-memory.dmp

Filesize
148KB

Download
memory/1576-48-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-49-0x00000000759A0000-0x0000000075A1C000-memory.dmp

Filesize
496KB

Download
memory/1576-51-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-53-0x0000000075A80000-0x0000000075AA5000-memory.dmp

Filesize
148KB

Download
memory/1576-52-0x00000000759A0000-0x0000000075A1C000-memory.dmp

Filesize
496KB

Download
memory/1576-54-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-57-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-58-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-56-0x0000000075B00000-0x0000000075BBF000-memory.dmp

Filesize
764KB

Download
memory/1576-59-0x0000000075850000-0x000000007599D000-memory.dmp

Filesize
1.3MB

Download
memory/1576-55-0x0000000075A80000-0x0000000075AA5000-memory.dmp

Filesize
148KB

Download
memory/1576-60-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-64-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-66-0x0000000075850000-0x000000007599D000-memory.dmp

Filesize
1.3MB

Download
memory/1576-65-0x00000000749E0000-0x0000000074A62000-memory.dmp

Filesize
520KB

Download
memory/1576-69-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-70-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-73-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-75-0x00000000749E0000-0x0000000074A62000-memory.dmp

Filesize
520KB

Download
memory/1576-74-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-78-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-80-0x00000000749E0000-0x0000000074A62000-memory.dmp

Filesize
520KB

Download
memory/1576-79-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-77-0x0000000075B00000-0x0000000075BBF000-memory.dmp

Filesize
764KB

Download
memory/1576-76-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-81-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-83-0x0000000075B00000-0x0000000075BBF000-memory.dmp

Filesize
764KB

Download
memory/1576-82-0x0000000075F80000-0x000000007605F000-memory.dmp

Filesize
892KB

Download
memory/1576-86-0x00000000749E0000-0x0000000074A62000-memory.dmp

Filesize
520KB

Download
memory/1576-87-0x0000000075850000-0x000000007599D000-memory.dmp

Filesize
1.3MB

Download
memory/1576-85-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-89-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-92-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-93-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-95-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-98-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-99-0x00000000749E0000-0x0000000074A62000-memory.dmp

Filesize
520KB

Download
memory/1576-97-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-104-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-103-0x00000000749E0000-0x0000000074A62000-memory.dmp

Filesize
520KB

Download
memory/1576-106-0x0000000075B00000-0x0000000075BBF000-memory.dmp

Filesize
764KB

Download
memory/1576-105-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-102-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-101-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-100-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-96-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-94-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-91-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-90-0x00000000761A0000-0x00000000767A2000-memory.dmp

Filesize
6.0MB

Download
memory/1576-88-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-84-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-72-0x0000000075B00000-0x0000000075BBF000-memory.dmp

Filesize
764KB

Download
memory/1576-71-0x00000000749E0000-0x0000000074A62000-memory.dmp

Filesize
520KB

Download
memory/1576-68-0x0000000075B00000-0x0000000075BBF000-memory.dmp

Filesize
764KB

Download
memory/1576-67-0x00000000008E0000-0x0000000001EE7000-memory.dmp

Filesize
22.0MB

Download
memory/1576-63-0x0000000074F50000-0x0000000075173000-memory.dmp

Filesize
2.1MB

Download
memory/1576-62-0x0000000075B00000-0x0000000075BBF000-memory.dmp

Filesize
764KB

Download
memory/1576-61-0x0000000075F80000-0x000000007605F000-memory.dmp

Filesize
892KB

Download
memory/1576-121-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads