888rat

General

Target

888-RAT [Lifetime Activated].zip
Size

85.0MB
Sample

240712-3hdlwsvhjp
MD5

a2a01ffb986f3e8a815b12e9f5e97417
SHA1

46f6c589e1234d11f5d2d59e4267dbb6466cf846
SHA256

919b8906dc891e3dec2883b47a3cacbdc304482e2efa1edb44c4a2d641e8e302
SHA512

31580d9631066487b7cf3d8d88cf0491ff4acff5c83efdee36cdc4390a4f2eef1209ef10438a7b10a506113563912ca53849973d7d7b47c02c2db4c22584a5bf
SSDEEP

1572864:zYCWF5RLQqPD05Fq/2t2j0TpqbHF7TS6LQz/DIRVxLtCqHm++FTHlemi:zY5RLQqqYetQtTS6LQovxLtQ71i

Score

10^/10

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendMessage?chat_id=2024893777

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/getUpdates?offset=-

https://api.telegram.org/bot6840643388:AAFx-w02hvJE3j8QWzCipTXQ-j2gGH45m_Y/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Targets

- Target
  
  888-RAT [Lifetime Activated]/888-RAT [Lifetime Activated].exe
- Size
  
  2.2MB
- MD5
  
  a4680e5a5f84ca01a426659d60cf83fb
- SHA1
  
  30442fa61f339bba3b60de3938d44681ec49a14c
- SHA256
  
  d9974f05d2e0b76f4d8515329473edf6d574a9b9b67361b7b9ab5eaf4bc54932
- SHA512
  
  446852177a6b1cdf9e1c16da6e11a07f34de01688917539eb054f5d43b954486fb30897cbd483d9f1c687e92d8ef14ae733dd8c35f6dabab44fb3a9682f54bca
- SSDEEP
  
  49152:PdYJMfC7koydmRzCxWO8e89khof23mnijV6WvFw3BAz2tIm0U3Nlf:Oc3vdUEWFvSfdw3rtImTf
Score

10^/10

persistence spyware stealer upx 888rat gurcu infostealer rat trojan
- 888RAT
  888RAT is an Android remote administration tool.
  trojan infostealer rat 888rat
- Android 888 RAT payload
- Gurcu, WhiteSnake
  Gurcu is a malware stealer written in C#.
  stealer gurcu
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2