samorat | fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46

General

Target

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
Size

1.3MB
MD5

2042fdc08ed48544a98307aec4610251
SHA1

50a6c64a62347c6c87abb65d04803ff23832a7e8
SHA256

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
SHA512

b102fc8105b0a7cca5c33711e83af818dd9c37ff377d252edec69cbb05052387013426bbce38650c0360fb8c94f4796a8232b93f4c5d438caf031a50c4cae591
SSDEEP

24576:LXFgZi7M93fxOLHvVCGvlxcXBVDCU7EIRxCiQVhR5CUQOufa/8gU:LXFuZOraCIxghRxQRr

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1312-22-0x0000000000290000-0x000000000029C000-memory.dmp	disable_win_def

SamoRAT
SamoRAT is a .NET malware used to receive and execute different commands on the infected system.
trojan samorat

Executes dropped EXE 2 IoCs

pid	Process
1748	ProAlts.xyz Token Generator.exe
1312	WinServices.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
2432	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe
1312	WinServices.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	WinServices.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1748	2432	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	28
PID 2432 wrote to memory of 1748	2432	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	28
PID 2432 wrote to memory of 1748	2432	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	28
PID 2432 wrote to memory of 1748	2432	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	28
PID 2432 wrote to memory of 1312	2432	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	29
PID 2432 wrote to memory of 1312	2432	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	29
PID 2432 wrote to memory of 1312	2432	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	29
PID 2432 wrote to memory of 1312	2432	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	29
PID 1312 wrote to memory of 2632	1312	WinServices.exe	32
PID 1312 wrote to memory of 2632	1312	WinServices.exe	32
PID 1312 wrote to memory of 2632	1312	WinServices.exe	32
PID 1312 wrote to memory of 2632	1312	WinServices.exe	32
PID 2632 wrote to memory of 2404	2632	cmd.exe	34
PID 2632 wrote to memory of 2404	2632	cmd.exe	34
PID 2632 wrote to memory of 2404	2632	cmd.exe	34
PID 2632 wrote to memory of 2404	2632	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
"C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432
- C:\ProgramData\ProAlts.xyz Token Generator.exe
  "C:\ProgramData\ProAlts.xyz Token Generator.exe"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\ProgramData\WinServices.exe
  "C:\ProgramData\WinServices.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2404

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\ProAlts.xyz Token Generator.exe

Filesize
672KB

MD5
2086fb707a48f239399ec752feaabd7e

SHA1
bb7d8008b21a6ae038074479f6e423a257fb5260

SHA256
a2cf0de9e63aeaf15700f4df455273183cf8334e732e888b0d3c1090ff84ba34

SHA512
cd14867bca10f5167fd28614bb6692576b5b6807c458bef6c8ee19169daa8e713383fbfaa3cc90e4f96f3b1cbbb7dcd8ab15d105a9d435cee9fdd52046b2d5d0

Download Submit
\ProgramData\WinServices.exe

Filesize
188KB

MD5
4bb3e58d375714e27744d106143cf61b

SHA1
802803b91e9439c5bc0a59f73629d2a191e9f4dc

SHA256
f434312e8ce38172180f281f6b3951879e82f42a07362f89179d91ded810feea

SHA512
64cf58bbc58f05d6d08bdf59ce5b7496bf4a4ae97135d8a96c4ed6af7ae319a2b146d79059ff718d481f26198b1f80874fb7111c8bd79fda039e21db3f9424f7

Download Submit
memory/1312-21-0x00000000711A0000-0x000000007188E000-memory.dmp

Filesize
6.9MB

Download
memory/1312-31-0x00000000711A0000-0x000000007188E000-memory.dmp

Filesize
6.9MB

Download
memory/1312-25-0x00000000059E0000-0x0000000005A20000-memory.dmp

Filesize
256KB

Download
memory/1312-22-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/1312-19-0x0000000001100000-0x0000000001134000-memory.dmp

Filesize
208KB

Download
memory/1748-20-0x00000000711A0000-0x000000007188E000-memory.dmp

Filesize
6.9MB

Download
memory/1748-18-0x0000000000970000-0x0000000000A1C000-memory.dmp

Filesize
688KB

Download
memory/1748-23-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1748-24-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1748-30-0x00000000711A0000-0x000000007188E000-memory.dmp

Filesize
6.9MB

Download
memory/1748-32-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1748-34-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2432-0-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-17-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-2-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/2432-1-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads