888rat

Sharing

Copy URL

Twitter E-mail

General

Target

888.zip
Size

318.6MB
Sample

240717-w7b12atbjm
MD5

20f2ec7536dafbafe3500212ac0acec8
SHA1

601cb29d855cda970bd2323194b169e544b02d3c
SHA256

a0870503b673085716382adb59f7cfcd71bfc1b67c5561142150bdee6751167f
SHA512

78292faca10cb56bc31fa1a07c71bf823dded066793fe6f71f42d76a29deaf5a969c8bb1c3a283cb0a7e3c104c477ba95b6ff1fb807c7ce67e4c7d200a174d19
SSDEEP

6291456:EXZN0ALNx2NjGjiHDmO5okwDgPeXuXAmHKu6w1jsfXZN0ALNx2NjGk:0kGAmO5CXbmHeyjsrkGk

Score

10^/10

Malware Config

Targets

- Target
  
  888 RAT 1.2.5.exe
- Size
  
  75.9MB
- MD5
  
  4aecd4edd0a55ec3d6384c3fb5c7e991
- SHA1
  
  1217bde817a917c4cce9ded4cf3a5265f83e17b3
- SHA256
  
  9a84421ce7399381bddb874cce102a34568737e4421026461724aac065f1d5b7
- SHA512
  
  0b16dd7e761bdca6b70998a502f5cdf74ac9481e2610470a684dbe8998cb7d455a0c12701d4a0791359c618d799f3b01ade8a5bfdbb077648442d075b849e08b
- SSDEEP
  
  1572864:SNuhTJ9xMqHFBq0HDsLYrXatfLllR3Rbo30xXlkx6B3rS1OvaF5:SNuRx7lBq0wLYrXajRSulkx83yUaF5
Score

10^/10

888rat infostealer rat trojan upx
- 888RAT
  888RAT is an Android remote administration tool.
  trojan infostealer rat 888rat
- Android 888 RAT payload
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  888 Rat 1.2.4 Cracked By Escanor.exe
- Size
  
  82.0MB
- MD5
  
  946bbc3c7d20070824c0f00d791f34e8
- SHA1
  
  8fac0359b2e7f5a41c1974ff471e24d6245335aa
- SHA256
  
  1cf6569c752b820b9f1cf097cd5a924713248a8f286e78c93b8fbc4b2bc44804
- SHA512
  
  38ed69d9adeaa3e51826c8fb870427ecb5465d4265aa34f080fc86bc8792a6b56d8a6aea60175e59f13141336fd2b5506710788819cdfb7c31aba35daba4f4e5
- SSDEEP
  
  1572864:Bg0b0IsYMPbXHDoLYrXatfLllR3RboJxXlPY/+DoUSP/j3r9PgmDrMF:Bg7IsYYMLYrXajRwlZxaj3r9/4F
Score

10^/10

888rat infostealer persistence privilege_escalation rat spyware stealer trojan upx
- 888RAT
  888RAT is an Android remote administration tool.
  trojan infostealer rat 888rat
- Android 888 RAT payload
- Downloads MZ/PE file
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5 behavioral6 behavioral7 behavioral8
- Target
  
  888 Rat 1.2.4 Cracked For Lifetime (2).exe
- Size
  
  82.0MB
- MD5
  
  946bbc3c7d20070824c0f00d791f34e8
- SHA1
  
  8fac0359b2e7f5a41c1974ff471e24d6245335aa
- SHA256
  
  1cf6569c752b820b9f1cf097cd5a924713248a8f286e78c93b8fbc4b2bc44804
- SHA512
  
  38ed69d9adeaa3e51826c8fb870427ecb5465d4265aa34f080fc86bc8792a6b56d8a6aea60175e59f13141336fd2b5506710788819cdfb7c31aba35daba4f4e5
- SSDEEP
  
  1572864:Bg0b0IsYMPbXHDoLYrXatfLllR3RboJxXlPY/+DoUSP/j3r9PgmDrMF:Bg7IsYYMLYrXajRwlZxaj3r9/4F
Score

10^/10

persistence privilege_escalation spyware stealer upx 888rat infostealer rat trojan
- 888RAT
  888RAT is an Android remote administration tool.
  trojan infostealer rat 888rat
- Android 888 RAT payload
- Downloads MZ/PE file
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral11 behavioral12 behavioral9
- Target
  
  888 rat 1.2.1.exe
- Size
  
  79.2MB
- MD5
  
  e9aa901042053b06723f6e14f95fe3c6
- SHA1
  
  f7653cb6fc7c6dd17900abdc7a4307570aca50d6
- SHA256
  
  f4023630eddd4ee944149279d641604764e442592d98b9720874c69e02d84fb5
- SHA512
  
  272410435e51a59856cd9dcf7bfba852a9d7055a71fff00491ad45eab9025799a97bebfcdcaab787b17c35263edb9e0b36df63cbcf190969092c2f355406a313
- SSDEEP
  
  1572864:9+geRT13w3TbMlFaT9re/8v1qrqxXlUcFY3rT4FDfhPMETIuCNBrO:9+r13wmgJr0YlUcFYglfhPYS
Score

10^/10

888rat infostealer rat trojan upx
- 888RAT
  888RAT is an Android remote administration tool.
  trojan infostealer rat 888rat
- Android 888 RAT payload
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral13 behavioral14 behavioral15 behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Android 888 RAT payload

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

AutoIT Executable

888RAT

Android 888 RAT payload

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

888RAT

Android 888 RAT payload

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

888RAT

Android 888 RAT payload

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

UPX packed file

AutoIT Executable

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16