Overview

overview

10

Static

static

7

888 RAT 1.2.5.exe

windows10-1703-x64

10

888 RAT 1.2.5.exe

windows7-x64

7

888 RAT 1.2.5.exe

windows10-2004-x64

10

888 RAT 1.2.5.exe

windows11-21h2-x64

10

888 Rat 1....or.exe

windows10-1703-x64

10

888 Rat 1....or.exe

windows7-x64

8

888 Rat 1....or.exe

windows10-2004-x64

10

888 Rat 1....or.exe

windows11-21h2-x64

10

888 Rat 1....2).exe

windows10-1703-x64

10

888 Rat 1....2).exe

windows7-x64

8

888 Rat 1....2).exe

windows10-2004-x64

10

888 Rat 1....2).exe

windows11-21h2-x64

10

888 rat 1.2.1.exe

windows10-1703-x64

10

888 rat 1.2.1.exe

windows7-x64

7

888 rat 1.2.1.exe

windows10-2004-x64

7

888 rat 1.2.1.exe

windows11-21h2-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    888.zip

  • Size

    318.6MB

  • Sample

    240717-w7b12atbjm

  • MD5

    20f2ec7536dafbafe3500212ac0acec8

  • SHA1

    601cb29d855cda970bd2323194b169e544b02d3c

  • SHA256

    a0870503b673085716382adb59f7cfcd71bfc1b67c5561142150bdee6751167f

  • SHA512

    78292faca10cb56bc31fa1a07c71bf823dded066793fe6f71f42d76a29deaf5a969c8bb1c3a283cb0a7e3c104c477ba95b6ff1fb807c7ce67e4c7d200a174d19

  • SSDEEP

    6291456:EXZN0ALNx2NjGjiHDmO5okwDgPeXuXAmHKu6w1jsfXZN0ALNx2NjGk:0kGAmO5CXbmHeyjsrkGk

Score
10/10
888ratinfostealerpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Targets

    • Target

      888 RAT 1.2.5.exe

    • Size

      75.9MB

    • MD5

      4aecd4edd0a55ec3d6384c3fb5c7e991

    • SHA1

      1217bde817a917c4cce9ded4cf3a5265f83e17b3

    • SHA256

      9a84421ce7399381bddb874cce102a34568737e4421026461724aac065f1d5b7

    • SHA512

      0b16dd7e761bdca6b70998a502f5cdf74ac9481e2610470a684dbe8998cb7d455a0c12701d4a0791359c618d799f3b01ade8a5bfdbb077648442d075b849e08b

    • SSDEEP

      1572864:SNuhTJ9xMqHFBq0HDsLYrXatfLllR3Rbo30xXlkx6B3rS1OvaF5:SNuRx7lBq0wLYrXajRSulkx83yUaF5

    Score
    10/10
    888ratinfostealerrattrojanupx

    • 888RAT

      888RAT is an Android remote administration tool.

      trojaninfostealerrat888rat

    • Android 888 RAT payload

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2behavioral3behavioral4

    • Target

      888 Rat 1.2.4 Cracked By Escanor.exe

    • Size

      82.0MB

    • MD5

      946bbc3c7d20070824c0f00d791f34e8

    • SHA1

      8fac0359b2e7f5a41c1974ff471e24d6245335aa

    • SHA256

      1cf6569c752b820b9f1cf097cd5a924713248a8f286e78c93b8fbc4b2bc44804

    • SHA512

      38ed69d9adeaa3e51826c8fb870427ecb5465d4265aa34f080fc86bc8792a6b56d8a6aea60175e59f13141336fd2b5506710788819cdfb7c31aba35daba4f4e5

    • SSDEEP

      1572864:Bg0b0IsYMPbXHDoLYrXatfLllR3RboJxXlPY/+DoUSP/j3r9PgmDrMF:Bg7IsYYMLYrXajRwlZxaj3r9/4F

    Score
    10/10
    888ratinfostealerpersistenceprivilege_escalationratspywarestealertrojanupx

    • 888RAT

      888RAT is an Android remote administration tool.

      trojaninfostealerrat888rat

    • Android 888 RAT payload

    • Downloads MZ/PE file

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6behavioral7behavioral8

    • Target

      888 Rat 1.2.4 Cracked For Lifetime (2).exe

    • Size

      82.0MB

    • MD5

      946bbc3c7d20070824c0f00d791f34e8

    • SHA1

      8fac0359b2e7f5a41c1974ff471e24d6245335aa

    • SHA256

      1cf6569c752b820b9f1cf097cd5a924713248a8f286e78c93b8fbc4b2bc44804

    • SHA512

      38ed69d9adeaa3e51826c8fb870427ecb5465d4265aa34f080fc86bc8792a6b56d8a6aea60175e59f13141336fd2b5506710788819cdfb7c31aba35daba4f4e5

    • SSDEEP

      1572864:Bg0b0IsYMPbXHDoLYrXatfLllR3RboJxXlPY/+DoUSP/j3r9PgmDrMF:Bg7IsYYMLYrXajRwlZxaj3r9/4F

    Score
    10/10
    persistenceprivilege_escalationspywarestealerupx888ratinfostealerrattrojan

    • 888RAT

      888RAT is an Android remote administration tool.

      trojaninfostealerrat888rat

    • Android 888 RAT payload

    • Downloads MZ/PE file

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral11behavioral12behavioral9

    • Target

      888 rat 1.2.1.exe

    • Size

      79.2MB

    • MD5

      e9aa901042053b06723f6e14f95fe3c6

    • SHA1

      f7653cb6fc7c6dd17900abdc7a4307570aca50d6

    • SHA256

      f4023630eddd4ee944149279d641604764e442592d98b9720874c69e02d84fb5

    • SHA512

      272410435e51a59856cd9dcf7bfba852a9d7055a71fff00491ad45eab9025799a97bebfcdcaab787b17c35263edb9e0b36df63cbcf190969092c2f355406a313

    • SSDEEP

      1572864:9+geRT13w3TbMlFaT9re/8v1qrqxXlUcFY3rT4FDfhPMETIuCNBrO:9+r13wmgJr0YlUcFYglfhPYS

    Score
    10/10
    888ratinfostealerrattrojanupx

    • 888RAT

      888RAT is an Android remote administration tool.

      trojaninfostealerrat888rat

    • Android 888 RAT payload

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral13behavioral14behavioral15behavioral16

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

2
T1053

Scheduled Task

2
T1053.005

Persistence

Event Triggered Execution

2
T1546

Netsh Helper DLL

2
T1546.007

Scheduled Task/Job

2
T1053

Scheduled Task

2
T1053.005

Privilege Escalation

Event Triggered Execution

2
T1546

Netsh Helper DLL

2
T1546.007

Scheduled Task/Job

2
T1053

Scheduled Task

2
T1053.005

Defense Evasion

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

8
T1012

System Information Discovery

12
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

upx
Score
7/10

behavioral1

888ratinfostealerrattrojanupx
Score
10/10

behavioral2

upx
Score
7/10

behavioral3

888ratinfostealerrattrojanupx
Score
10/10

behavioral4

888ratinfostealerrattrojanupx
Score
10/10

behavioral5

888ratinfostealerpersistenceprivilege_escalationratspywarestealertrojanupx
Score
10/10

behavioral6

persistenceprivilege_escalationspywarestealerupx
Score
8/10

behavioral7

888ratinfostealerpersistenceprivilege_escalationratspywarestealertrojanupx
Score
10/10

behavioral8

888ratinfostealerpersistenceprivilege_escalationratspywarestealertrojanupx
Score
10/10

behavioral9

888ratinfostealerpersistenceprivilege_escalationratspywarestealertrojanupx
Score
10/10

behavioral10

persistenceprivilege_escalationspywarestealerupx
Score
8/10

behavioral11

888ratinfostealerpersistenceprivilege_escalationratspywarestealertrojanupx
Score
10/10

behavioral12

888ratinfostealerpersistenceprivilege_escalationratspywarestealertrojanupx
Score
10/10

behavioral13

888ratinfostealerrattrojanupx
Score
10/10

behavioral14

upx
Score
7/10

behavioral15

upx
Score
7/10

behavioral16

upx
Score
7/10