919b8906dc891e3dec2883b47a3cacbdc304482e2efa1edb44c4a2d641e8e302

General

Target

888-RAT [Lifetime Activated]/data/user-interface.exe
Size

5.6MB
MD5

b8703418e6c3d1ccd83b8d178ab9f4c9
SHA1

6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
SHA256

d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
SHA512

75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f
SSDEEP

98304:sbl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucf:s6OuK6mn9NzgMoYkSIvUcwti7TQlvciA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3164	Update.exe

Loads dropped DLL 2 IoCs

pid	Process
1804	user-interface.exe
3164	Update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
11	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3320	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4884	tasklist.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	user-interface.exe
Token: SeDebugPrivilege	4884	tasklist.exe
Token: SeDebugPrivilege	3164	Update.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 4712	1804	user-interface.exe	82
PID 1804 wrote to memory of 4712	1804	user-interface.exe	82
PID 4712 wrote to memory of 4884	4712	cmd.exe	84
PID 4712 wrote to memory of 4884	4712	cmd.exe	84
PID 4712 wrote to memory of 4960	4712	cmd.exe	85
PID 4712 wrote to memory of 4960	4712	cmd.exe	85
PID 4712 wrote to memory of 3320	4712	cmd.exe	86
PID 4712 wrote to memory of 3320	4712	cmd.exe	86
PID 4712 wrote to memory of 3164	4712	cmd.exe	87
PID 4712 wrote to memory of 3164	4712	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\888-RAT [Lifetime Activated]\data\user-interface.exe
"C:\Users\Admin\AppData\Local\Temp\888-RAT [Lifetime Activated]\data\user-interface.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD522.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD522.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1804"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3320
- - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe
    "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD522.tmp.bat

Filesize
288B

MD5
156a97124f7051ca70d47bd592f16d8b

SHA1
57dfaea732b86fe7b1efe461b5bc310635856b6c

SHA256
e4020b5d8b65d6e9c89cda7107f3b26a6ebcf7a0d53a76ee9a1e46921dc7eb04

SHA512
ed9a43d5e0cee3b209a2e43b90caf5e247aa8582122a90fdb3221684f350c31d52abba437e8e43bf6992032b0ad6a0bf2e4a6fc354279077b56c590d9c706cfd

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe

Filesize
5.6MB

MD5
b8703418e6c3d1ccd83b8d178ab9f4c9

SHA1
6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6

SHA256
d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e

SHA512
75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f

Download Submit
memory/1804-0-0x0000021664240000-0x00000216647E0000-memory.dmp

Filesize
5.6MB

Download
memory/1804-1-0x00007FFC7BAD0000-0x00007FFC7C592000-memory.dmp

Filesize
10.8MB

Download
memory/1804-6-0x000002167ECD0000-0x000002167ED46000-memory.dmp

Filesize
472KB

Download
memory/1804-7-0x000002167EDB0000-0x000002167EDC0000-memory.dmp

Filesize
64KB

Download
memory/1804-8-0x00007FFC7BAD0000-0x00007FFC7C592000-memory.dmp

Filesize
10.8MB

Download
memory/1804-9-0x000002167EDB0000-0x000002167EDC0000-memory.dmp

Filesize
64KB

Download
memory/1804-13-0x00007FFC7BAD0000-0x00007FFC7C592000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing