General

  • Target

    ShadowRat.exe

  • Size

    14.2MB

  • Sample

    240511-l14scsef55

  • MD5

    8c4d216d222b661b28b1b95785aab659

  • SHA1

    9d7c47a31996a08b5404c63991186306b4f5b83b

  • SHA256

    13c071da22f6c14143bc1762ef115fd4fabb8449621308c676191ba10a4c9929

  • SHA512

    935360b49894312fd5be98111021857872492dfb85372b7210ae98d9f8478c963d9eef217f14b59490de3e0605a6dfcabb619208228ae6c3a8307d95bae03606

  • SSDEEP

    393216:Jm4MjFG821+TtIiFqY9Z8D8Ccl78NcMgBYh6x9KC:J4jFG821QtIZa8DZcJ8NXTOK

Malware Config

Targets

    • Target

      ShadowRat.exe

    • Size

      14.2MB

    • MD5

      8c4d216d222b661b28b1b95785aab659

    • SHA1

      9d7c47a31996a08b5404c63991186306b4f5b83b

    • SHA256

      13c071da22f6c14143bc1762ef115fd4fabb8449621308c676191ba10a4c9929

    • SHA512

      935360b49894312fd5be98111021857872492dfb85372b7210ae98d9f8478c963d9eef217f14b59490de3e0605a6dfcabb619208228ae6c3a8307d95bae03606

    • SSDEEP

      393216:Jm4MjFG821+TtIiFqY9Z8D8Ccl78NcMgBYh6x9KC:J4jFG821QtIZa8DZcJ8NXTOK

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks