Analysis
-
max time kernel
1799s -
max time network
1802s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-04-2024 21:10
Static task
static1
Behavioral task
behavioral1
Sample
888-RAT [Lifetime Activated]/888-RAT [Lifetime Activated].exe
Resource
win11-20240426-en
Behavioral task
behavioral2
Sample
888-RAT [Lifetime Activated]/data/command-reciever.exe
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
888-RAT [Lifetime Activated]/data/user-interface.exe
Resource
win11-20240419-en
General
-
Target
888-RAT [Lifetime Activated]/data/user-interface.exe
-
Size
5.6MB
-
MD5
b8703418e6c3d1ccd83b8d178ab9f4c9
-
SHA1
6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
-
SHA256
d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
-
SHA512
75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f
-
SSDEEP
98304:sbl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucf:s6OuK6mn9NzgMoYkSIvUcwti7TQlvciA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3164 Update.exe -
Loads dropped DLL 2 IoCs
pid Process 1804 user-interface.exe 3164 Update.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 raw.githubusercontent.com 11 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com 9 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3320 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4884 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 1804 user-interface.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe 3164 Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1804 user-interface.exe Token: SeDebugPrivilege 4884 tasklist.exe Token: SeDebugPrivilege 3164 Update.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1804 wrote to memory of 4712 1804 user-interface.exe 82 PID 1804 wrote to memory of 4712 1804 user-interface.exe 82 PID 4712 wrote to memory of 4884 4712 cmd.exe 84 PID 4712 wrote to memory of 4884 4712 cmd.exe 84 PID 4712 wrote to memory of 4960 4712 cmd.exe 85 PID 4712 wrote to memory of 4960 4712 cmd.exe 85 PID 4712 wrote to memory of 3320 4712 cmd.exe 86 PID 4712 wrote to memory of 3320 4712 cmd.exe 86 PID 4712 wrote to memory of 3164 4712 cmd.exe 87 PID 4712 wrote to memory of 3164 4712 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\888-RAT [Lifetime Activated]\data\user-interface.exe"C:\Users\Admin\AppData\Local\Temp\888-RAT [Lifetime Activated]\data\user-interface.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD522.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD522.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 1804"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:4960
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:3320
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
288B
MD5156a97124f7051ca70d47bd592f16d8b
SHA157dfaea732b86fe7b1efe461b5bc310635856b6c
SHA256e4020b5d8b65d6e9c89cda7107f3b26a6ebcf7a0d53a76ee9a1e46921dc7eb04
SHA512ed9a43d5e0cee3b209a2e43b90caf5e247aa8582122a90fdb3221684f350c31d52abba437e8e43bf6992032b0ad6a0bf2e4a6fc354279077b56c590d9c706cfd
-
Filesize
5.6MB
MD5b8703418e6c3d1ccd83b8d178ab9f4c9
SHA16fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
SHA256d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
SHA51275ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f