Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 21:46
Static task
static1
Behavioral task
behavioral1
Sample
888 Rat v1.2.6.exe
Resource
win7-20240708-en
General
-
Target
888 Rat v1.2.6.exe
-
Size
75.0MB
-
MD5
ad33064a9ca95c5b3ed45c14b7fe2739
-
SHA1
0bd1286fa5fd936a31a4514798daffa444ce8e12
-
SHA256
5a14099abd6fe4b396094db7f9911251b25cd57893e14f97a7e7c5f44337bc98
-
SHA512
acb056e217edef4639179b24193a454f7e5aade51c1cc972e0458fc23c0ad982323161ad37050a4d849641dbf84719707efdcf4c99ecdf413381e5a752413647
-
SSDEEP
1572864:5mhnD+9mK/LnkHD1LYrXatfLllR3RboTmxXlIgU/cNruKPZiv:6nD+UozkJLYrXajR4ElIgU/c5Qv
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral1/files/0x0009000000016610-37.dat acprotect -
Loads dropped DLL 2 IoCs
Processes:
888 Rat v1.2.6.exepid Process 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe -
Processes:
resource yara_rule behavioral1/files/0x0009000000016610-37.dat upx behavioral1/memory/2356-42-0x0000000007480000-0x000000000753B000-memory.dmp upx behavioral1/memory/2356-221-0x0000000007480000-0x000000000753B000-memory.dmp upx -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2356-45-0x0000000000E80000-0x000000000597D000-memory.dmp autoit_exe behavioral1/memory/2356-56-0x0000000000E80000-0x000000000597D000-memory.dmp autoit_exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
888 Rat v1.2.6.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888 Rat v1.2.6.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
888 Rat v1.2.6.exepid Process 2356 888 Rat v1.2.6.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
888 Rat v1.2.6.exepid Process 2356 888 Rat v1.2.6.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
888 Rat v1.2.6.exepid Process 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
888 Rat v1.2.6.exepid Process 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe 2356 888 Rat v1.2.6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
888 Rat v1.2.6.exepid Process 2356 888 Rat v1.2.6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\888 Rat v1.2.6.exe"C:\Users\Admin\AppData\Local\Temp\888 Rat v1.2.6.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5a3083356947cdfb053c7c63cec79e85f
SHA181d71adf137d5a8dff56843250578bb68333ba9a
SHA2563e290e256bf19f56b233c42f19397807a83bde6cc792d6ea2f6c615cfc92ec1d
SHA512820ac1ca3472f2356c7ad3c7443a431eea3f710679e6467f47ee8918e7c206767ff99401ced14dd3d012d930b1aad3225b9f9e1a7a9ee4303a8b204f05fdf766
-
Filesize
239KB
MD529e1d5770184bf45139084bced50d306
SHA176c953cd86b013c3113f8495b656bd721be55e76
SHA256794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307
SHA5127cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8
-
Filesize
3.3MB
MD5ea5d5266b8a7bcc8788c83ebb7c8c7d5
SHA13e9ac1ab7d5d54db9b3d141e82916513e572b415
SHA25691ac4d215b8d90aef9a000900c9088d4c33d58c5f35a720a385a3f2d2299e5d1
SHA512404b35fca478a1f489ec1af7be1df897190d7deb0cd8139c2c89d68c24fa377d904cf0c5e30c09ab448d74d87a47aaa3a872bf66a9bc9c124f52798320d34e60