milleniumrat

General

Target

Prometheus Tron Brute Force (1).zip
Size

41.0MB
Sample

240514-rdz4jsad74
MD5

d23be870ef3722e9706a72e40ef4023b
SHA1

9656d45f92a1a317406fe3c60f16ba3b5a2f8ee1
SHA256

bdca6cd2c8542a4867b67978ef11bbe800789aca861cda4ee5f70e83bed69d41
SHA512

297a941a1a7ec6366f92836be0761ced9616d07ed3c21773e053d9a5c2945317d65d75fbf2f18876707e90a0d1c65c370548a73d2b5396d57eec71a2468ef921
SSDEEP

786432:Q8esY3XliX8OsYwDk0ECvv5z29TQdfm35W11icyZlziEO4:Q8et34X8OtwDkFCvbfb1Icfn4

Score

10^/10

Malware Config

Targets

- Target
  
  _internal/checker.exe
- Size
  
  24.0MB
- MD5
  
  b9f3e6e06f33ee7078f514d41be5faad
- SHA1
  
  e2d35bc333ec6ff0f6ae60e55daca44a433fc279
- SHA256
  
  a7c3208cf3067d1da12542cab16516c9085620959deb60dd000e190f15c74758
- SHA512
  
  212a6540082a20de6798d53e2c6f7f5705e5e4164620aa7f08a366e747f240c59c4c70ce0b8dd00625a0a960d1615073b4e48b2707abe767b422f732c5927bed
- SSDEEP
  
  393216:IDfDoc6/4m7/VBPt2XP8b/B+6M+8TIZ/iy1K4yoJq1HmnlOUyv5fkpHwsX:Ib7QvBt2XP8DB+DlSJ1K4y5PhSQ
Score

10^/10

milleniumrat evasion execution persistence pyinstaller rat spyware stealer
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  tronbrut.exe
- Size
  
  6.3MB
- MD5
  
  a4ce476a4e63d109116aa3cf97f721c1
- SHA1
  
  189b455995960b4655e2dbc41e59cfb43ec50f6d
- SHA256
  
  717f02d558e3a6bb0c9e1515d262590cae65b235c2deb01584e7b7e1bb5861ae
- SHA512
  
  b66a1231c53fbc316b4ab8f1ad5018a4a0f0be70af30d5a7640dd3a15c0f9e8f595d42c16e6588ad2fda9dba6ad6a28a7131e0bd2fc08200d465893410477d30
- SSDEEP
  
  98304:lnY8b3CIfjoazMD/x/0feyGghhpQ940BDlgwdnpka9R/k9t+2+SpXqLGt+t0kVE0:lnYxSqDfyGgtwBdnpkYRMoSENTSfQBd
Score

10^/10

evasion execution persistence pyinstaller
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4