888rat | 13478994921[.]zip

Resubmissions

30-04-2024 21:32

240430-1dsh5sgb5w 10

26-12-2023 17:34

231226-v5wrzsabgn 10

13-12-2023 16:11

231213-tmycesfacp 10

Sharing

Copy URL

Twitter E-mail

General

Target

13478994921.zip
Size

44.4MB
MD5

44d3f87708aba8171f36a82a9093de63
SHA1

e6649e277bd431283237a69358e2d8224f08901f
SHA256

f3312ae135274af9cb757246376d2309f6feedf27476099d7b987b78bd61bca7
SHA512

929e839104a46651958fd0c9c88a6de6545200c27cdc4ed61276e8b2ae561fb8d28d830916cae03c8285b1e09c4245fe94c36c70dbfdefd946a57ddc1f353bf1
SSDEEP

786432:dqQIaM8wVO5gcEk9GzTTps9KLP0HIzyB1tsxkYYSM0HoqegVFKKaxTIC:dBIEfT9GTpMKL8HFBYYSMsSx

Malware Config

Extracted

Family

icedid

Extracted

Family

metasploit

Version

windows/reverse_nonx_tcp

10.10.1.21:4444

Signatures

888rat family
888rat

Android 888 RAT payload 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	family_888rat

Ardamax family
ardamax

Ardamax main executable 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	family_ardamax

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	disable_win_def

Detected LegionLocker ransomware 1 IoCs

Sample contains strings associated with the LegionLocker family.

ransomware

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	family_legionlocker

Detected TEARDROP fileless dropper 1 IoCs

TEARDROP is a memory-only dropper which can read files/registry keys, decode an embedded payload, and load it directly into memory.

dropper backdoor

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	family_teardrop

EvilNum C# Component 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	evilnum_csharp

Evilnum family
evilnum
Growtopia family
growtopia
Guloader family
guloader

Guloader payload 1 IoCs

guloader

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	family_guloader

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	IcedidFirstLoader

Icedid family
icedid
Legionlocker family
legionlocker

LoaderBot executable 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	loaderbot

Loaderbot family
loaderbot

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	m00nd3v_logger

M00nd3v_logger family
m00nd3v_logger

MassLogger log file 1 IoCs

Detects a log file produced by MassLogger.

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	masslogger_log_file

Masslogger family
masslogger

Matiex Main payload 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	family_matiex

Matiex family
matiex
Metasploit family
metasploit
Nanocore family
nanocore

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	netwire

Netwire family
netwire

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	family_snakekeylogger

Snakekeylogger family
snakekeylogger
Teardrop family
teardrop

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	xmrig

Xmrig family
xmrig

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	rezer0

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	agile_net

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	pdf_with_link_action

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0

Office document contains embedded OLE objects 1 IoCs

Detected embedded OLE objects in Office documents.

Processes:

resource	yara_rule
static1/unpack001/be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0	office_ole_embedded

Files

13478994921.zip
.zip

Password: infected
be240429f6a9f67df22429d9fac5c22c887a65dae26f0af0b705ada8b61060c0
.dll windows:5 windows x64 arch:x64

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.text
Size: 104.8MB - Virtual size: 104.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 47.9MB - Virtual size: 47.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 686KB - Virtual size: 11.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 632KB - Virtual size: 631KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.CRT
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 748KB - Virtual size: 748KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

Password: infected

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 104.8MB - Virtual size: 104.8MB

.rdata Size: 47.9MB - Virtual size: 47.9MB

.data Size: 686KB - Virtual size: 11.7MB

.pdata Size: 632KB - Virtual size: 631KB

.CRT Size: 512B - Virtual size: 24B

.reloc Size: 748KB - Virtual size: 748KB

.text
Size: 104.8MB - Virtual size: 104.8MB

.rdata
Size: 47.9MB - Virtual size: 47.9MB

.data
Size: 686KB - Virtual size: 11.7MB

.pdata
Size: 632KB - Virtual size: 631KB

.CRT
Size: 512B - Virtual size: 24B

.reloc
Size: 748KB - Virtual size: 748KB