5a14099abd6fe4b396094db7f9911251b25cd57893e14f97a7e7c5f44337bc98

Resubmissions

25-09-2024 14:12

240925-rh2g6szbqj 7

01-08-2024 21:46

240801-1mnasasakg 10

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

888 Rat v1.2.6.exe
Size

75.0MB
MD5

ad33064a9ca95c5b3ed45c14b7fe2739
SHA1

0bd1286fa5fd936a31a4514798daffa444ce8e12
SHA256

5a14099abd6fe4b396094db7f9911251b25cd57893e14f97a7e7c5f44337bc98
SHA512

acb056e217edef4639179b24193a454f7e5aade51c1cc972e0458fc23c0ad982323161ad37050a4d849641dbf84719707efdcf4c99ecdf413381e5a752413647
SSDEEP

1572864:5mhnD+9mK/LnkHD1LYrXatfLllR3RboTmxXlIgU/cNruKPZiv:6nD+UozkJLYrXajR4ElIgU/c5Qv

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\skin.dll	acprotect

Loads dropped DLL 2 IoCs

Processes:

888 Rat v1.2.6.exe

pid process

2356 888 Rat v1.2.6.exe
2356 888 Rat v1.2.6.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\skin.dll	upx
behavioral1/memory/2356-42-0x0000000007480000-0x000000000753B000-memory.dmp	upx
behavioral1/memory/2356-221-0x0000000007480000-0x000000000753B000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2356-45-0x0000000000E80000-0x000000000597D000-memory.dmp	autoit_exe
behavioral1/memory/2356-56-0x0000000000E80000-0x000000000597D000-memory.dmp	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

888 Rat v1.2.6.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888 Rat v1.2.6.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

888 Rat v1.2.6.exe

pid process

2356 888 Rat v1.2.6.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

888 Rat v1.2.6.exe

pid process

2356 888 Rat v1.2.6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	888 Rat v1.2.6.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

888 Rat v1.2.6.exe

pid	process
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

888 Rat v1.2.6.exe

pid	process
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe
2356	888 Rat v1.2.6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

888 Rat v1.2.6.exe

pid process

2356 888 Rat v1.2.6.exe

C:\Users\Admin\AppData\Local\Temp\888 Rat v1.2.6.exe
"C:\Users\Admin\AppData\Local\Temp\888 Rat v1.2.6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Splash8.jpg

Filesize
32KB

MD5
a3083356947cdfb053c7c63cec79e85f

SHA1
81d71adf137d5a8dff56843250578bb68333ba9a

SHA256
3e290e256bf19f56b233c42f19397807a83bde6cc792d6ea2f6c615cfc92ec1d

SHA512
820ac1ca3472f2356c7ad3c7443a431eea3f710679e6467f47ee8918e7c206767ff99401ced14dd3d012d930b1aad3225b9f9e1a7a9ee4303a8b204f05fdf766

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.dll

Filesize
239KB

MD5
29e1d5770184bf45139084bced50d306

SHA1
76c953cd86b013c3113f8495b656bd721be55e76

SHA256
794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307

SHA512
7cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8

Download Submit
\Users\Admin\AppData\Local\Temp\skin.888ww.msstyles

Filesize
3.3MB

MD5
ea5d5266b8a7bcc8788c83ebb7c8c7d5

SHA1
3e9ac1ab7d5d54db9b3d141e82916513e572b415

SHA256
91ac4d215b8d90aef9a000900c9088d4c33d58c5f35a720a385a3f2d2299e5d1

SHA512
404b35fca478a1f489ec1af7be1df897190d7deb0cd8139c2c89d68c24fa377d904cf0c5e30c09ab448d74d87a47aaa3a872bf66a9bc9c124f52798320d34e60

Download Submit
memory/2356-42-0x0000000007480000-0x000000000753B000-memory.dmp

Filesize
748KB

Download
memory/2356-46-0x0000000074EE0000-0x0000000074F12000-memory.dmp

Filesize
200KB

Download
memory/2356-47-0x0000000076E40000-0x0000000076EDD000-memory.dmp

Filesize
628KB

Download
memory/2356-48-0x00000000753C0000-0x0000000075460000-memory.dmp

Filesize
640KB

Download
memory/2356-49-0x0000000075C30000-0x0000000075C87000-memory.dmp

Filesize
348KB

Download
memory/2356-50-0x0000000075D20000-0x0000000075F35000-memory.dmp

Filesize
2.1MB

Download
memory/2356-45-0x0000000000E80000-0x000000000597D000-memory.dmp

Filesize
75.0MB

Download
memory/2356-52-0x0000000075640000-0x000000007579C000-memory.dmp

Filesize
1.4MB

Download
memory/2356-53-0x0000000075210000-0x000000007529F000-memory.dmp

Filesize
572KB

Download
memory/2356-54-0x0000000075C90000-0x0000000075CBA000-memory.dmp

Filesize
168KB

Download
memory/2356-55-0x0000000074A80000-0x0000000074AD1000-memory.dmp

Filesize
324KB

Download
memory/2356-51-0x00000000761A0000-0x0000000076DEA000-memory.dmp

Filesize
12.3MB

Download
memory/2356-57-0x0000000074F20000-0x0000000074F29000-memory.dmp

Filesize
36KB

Download
memory/2356-58-0x0000000074EE0000-0x0000000074F12000-memory.dmp

Filesize
200KB

Download
memory/2356-59-0x00000000753C0000-0x0000000075460000-memory.dmp

Filesize
640KB

Download
memory/2356-60-0x0000000074C10000-0x0000000074DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-61-0x0000000075C30000-0x0000000075C87000-memory.dmp

Filesize
348KB

Download
memory/2356-62-0x0000000075D20000-0x0000000075F35000-memory.dmp

Filesize
2.1MB

Download
memory/2356-64-0x0000000076110000-0x000000007618B000-memory.dmp

Filesize
492KB

Download
memory/2356-66-0x0000000075640000-0x000000007579C000-memory.dmp

Filesize
1.4MB

Download
memory/2356-67-0x0000000075210000-0x000000007529F000-memory.dmp

Filesize
572KB

Download
memory/2356-65-0x00000000761A0000-0x0000000076DEA000-memory.dmp

Filesize
12.3MB

Download
memory/2356-56-0x0000000000E80000-0x000000000597D000-memory.dmp

Filesize
75.0MB

Download
memory/2356-76-0x0000000074BF0000-0x0000000074C02000-memory.dmp

Filesize
72KB

Download
memory/2356-75-0x0000000075C30000-0x0000000075C87000-memory.dmp

Filesize
348KB

Download
memory/2356-74-0x0000000074C10000-0x0000000074DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-72-0x0000000076E40000-0x0000000076EDD000-memory.dmp

Filesize
628KB

Download
memory/2356-79-0x0000000076110000-0x000000007618B000-memory.dmp

Filesize
492KB

Download
memory/2356-80-0x0000000075210000-0x000000007529F000-memory.dmp

Filesize
572KB

Download
memory/2356-71-0x0000000074EE0000-0x0000000074F12000-memory.dmp

Filesize
200KB

Download
memory/2356-81-0x00000000752F0000-0x00000000753BC000-memory.dmp

Filesize
816KB

Download
memory/2356-77-0x0000000075D20000-0x0000000075F35000-memory.dmp

Filesize
2.1MB

Download
memory/2356-70-0x0000000074A80000-0x0000000074AD1000-memory.dmp

Filesize
324KB

Download
memory/2356-69-0x00000000752F0000-0x00000000753BC000-memory.dmp

Filesize
816KB

Download
memory/2356-73-0x00000000753C0000-0x0000000075460000-memory.dmp

Filesize
640KB

Download
memory/2356-83-0x0000000074A80000-0x0000000074AD1000-memory.dmp

Filesize
324KB

Download
memory/2356-82-0x0000000074AF0000-0x0000000074B03000-memory.dmp

Filesize
76KB

Download
memory/2356-94-0x0000000074A80000-0x0000000074AD1000-memory.dmp

Filesize
324KB

Download
memory/2356-93-0x00000000752F0000-0x00000000753BC000-memory.dmp

Filesize
816KB

Download
memory/2356-91-0x0000000075D20000-0x0000000075F35000-memory.dmp

Filesize
2.1MB

Download
memory/2356-90-0x0000000074BF0000-0x0000000074C02000-memory.dmp

Filesize
72KB

Download
memory/2356-89-0x0000000075C30000-0x0000000075C87000-memory.dmp

Filesize
348KB

Download
memory/2356-88-0x0000000074C10000-0x0000000074DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-87-0x00000000753C0000-0x0000000075460000-memory.dmp

Filesize
640KB

Download
memory/2356-86-0x0000000074EE0000-0x0000000074F12000-memory.dmp

Filesize
200KB

Download
memory/2356-85-0x0000000074F20000-0x0000000074F29000-memory.dmp

Filesize
36KB

Download
memory/2356-96-0x0000000074F20000-0x0000000074F29000-memory.dmp

Filesize
36KB

Download
memory/2356-97-0x0000000074EE0000-0x0000000074F12000-memory.dmp

Filesize
200KB

Download
memory/2356-100-0x0000000074C10000-0x0000000074DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-99-0x00000000753C0000-0x0000000075460000-memory.dmp

Filesize
640KB

Download
memory/2356-98-0x0000000076E40000-0x0000000076EDD000-memory.dmp

Filesize
628KB

Download
memory/2356-101-0x0000000075C30000-0x0000000075C87000-memory.dmp

Filesize
348KB

Download
memory/2356-102-0x0000000074BF0000-0x0000000074C02000-memory.dmp

Filesize
72KB

Download
memory/2356-111-0x0000000075C30000-0x0000000075C87000-memory.dmp

Filesize
348KB

Download
memory/2356-110-0x0000000074A80000-0x0000000074AD1000-memory.dmp

Filesize
324KB

Download
memory/2356-109-0x0000000074AF0000-0x0000000074B03000-memory.dmp

Filesize
76KB

Download
memory/2356-108-0x00000000752F0000-0x00000000753BC000-memory.dmp

Filesize
816KB

Download
memory/2356-106-0x0000000075210000-0x000000007529F000-memory.dmp

Filesize
572KB

Download
memory/2356-105-0x0000000076110000-0x000000007618B000-memory.dmp

Filesize
492KB

Download
memory/2356-103-0x0000000075D20000-0x0000000075F35000-memory.dmp

Filesize
2.1MB

Download
memory/2356-113-0x0000000074EE0000-0x0000000074F12000-memory.dmp

Filesize
200KB

Download
memory/2356-116-0x0000000074BF0000-0x0000000074C02000-memory.dmp

Filesize
72KB

Download
memory/2356-115-0x0000000075C30000-0x0000000075C87000-memory.dmp

Filesize
348KB

Download
memory/2356-114-0x0000000074C10000-0x0000000074DAE000-memory.dmp

Filesize
1.6MB

Download
memory/2356-117-0x0000000075D20000-0x0000000075F35000-memory.dmp

Filesize
2.1MB

Download
memory/2356-221-0x0000000007480000-0x000000000753B000-memory.dmp

Filesize
748KB

Download