milleniumrat

General

Target

New Text Document.txt
Size

352B
Sample

240508-tgn7kaeh57
MD5

901993bbd60acc525b9811b758de0ff0
SHA1

beeb0f22183104e9862a2bd2f3ba2af2494f8af9
SHA256

91c3d71ccdc02d3fe1ad1c9ffdbff3dc2a350e97e3482f843e94348af3a63446
SHA512

7933a372f5de7c921e6d3582c0772d27935301cc325ba1b24988246c4f4e17f55bc872017d6609311a9d7804f1932a68d920df53a6cf4f339ff6ae8709eb2f7d

Score

10^/10

Malware Config

Targets

- Target
  
  New Text Document.txt
- Size
  
  352B
- MD5
  
  901993bbd60acc525b9811b758de0ff0
- SHA1
  
  beeb0f22183104e9862a2bd2f3ba2af2494f8af9
- SHA256
  
  91c3d71ccdc02d3fe1ad1c9ffdbff3dc2a350e97e3482f843e94348af3a63446
- SHA512
  
  7933a372f5de7c921e6d3582c0772d27935301cc325ba1b24988246c4f4e17f55bc872017d6609311a9d7804f1932a68d920df53a6cf4f339ff6ae8709eb2f7d
Score

10^/10

milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Contacts a large (14416) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1