General
-
Target
888-RAT [Lifetime Activated].zip
-
Size
85.0MB
-
Sample
240526-h7s3nabb6y
-
MD5
a2a01ffb986f3e8a815b12e9f5e97417
-
SHA1
46f6c589e1234d11f5d2d59e4267dbb6466cf846
-
SHA256
919b8906dc891e3dec2883b47a3cacbdc304482e2efa1edb44c4a2d641e8e302
-
SHA512
31580d9631066487b7cf3d8d88cf0491ff4acff5c83efdee36cdc4390a4f2eef1209ef10438a7b10a506113563912ca53849973d7d7b47c02c2db4c22584a5bf
-
SSDEEP
1572864:zYCWF5RLQqPD05Fq/2t2j0TpqbHF7TS6LQz/DIRVxLtCqHm++FTHlemi:zY5RLQqqYetQtTS6LQovxLtQ71i
Malware Config
Targets
-
-
Target
888-RAT [Lifetime Activated]/888-RAT [Lifetime Activated].exe
-
Size
2.2MB
-
MD5
a4680e5a5f84ca01a426659d60cf83fb
-
SHA1
30442fa61f339bba3b60de3938d44681ec49a14c
-
SHA256
d9974f05d2e0b76f4d8515329473edf6d574a9b9b67361b7b9ab5eaf4bc54932
-
SHA512
446852177a6b1cdf9e1c16da6e11a07f34de01688917539eb054f5d43b954486fb30897cbd483d9f1c687e92d8ef14ae733dd8c35f6dabab44fb3a9682f54bca
-
SSDEEP
49152:PdYJMfC7koydmRzCxWO8e89khof23mnijV6WvFw3BAz2tIm0U3Nlf:Oc3vdUEWFvSfdw3rtImTf
Score10/10-
888RAT
888RAT is an Android remote administration tool.
-
Android 888 RAT payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
888-RAT [Lifetime Activated]/data/command-reciever.dat
-
Size
79.2MB
-
MD5
e9aa901042053b06723f6e14f95fe3c6
-
SHA1
f7653cb6fc7c6dd17900abdc7a4307570aca50d6
-
SHA256
f4023630eddd4ee944149279d641604764e442592d98b9720874c69e02d84fb5
-
SHA512
272410435e51a59856cd9dcf7bfba852a9d7055a71fff00491ad45eab9025799a97bebfcdcaab787b17c35263edb9e0b36df63cbcf190969092c2f355406a313
-
SSDEEP
1572864:9+geRT13w3TbMlFaT9re/8v1qrqxXlUcFY3rT4FDfhPMETIuCNBrO:9+r13wmgJr0YlUcFYglfhPYS
Score10/10-
888RAT
888RAT is an Android remote administration tool.
-
Android 888 RAT payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
888-RAT [Lifetime Activated]/data/user-interface.dat
-
Size
5.6MB
-
MD5
b8703418e6c3d1ccd83b8d178ab9f4c9
-
SHA1
6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
-
SHA256
d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
-
SHA512
75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f
-
SSDEEP
98304:sbl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucf:s6OuK6mn9NzgMoYkSIvUcwti7TQlvciA
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-