110fd83bdeee1785c51b4ae919ea9aabffe74dfd9014a42577bb5ede476ea58a

Resubmissions

01-10-2024 16:24

241001-twvynayfpr 10

27-09-2024 00:57

26-09-2024 23:29

26-09-2024 18:54

26-09-2024 18:38

26-09-2024 16:26

Analysis

max time kernel
464s
max time network
455s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
26-09-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

888 Rat v1.2.6/888 Rat v1.2.6.exe
Size

75.0MB
MD5

ad33064a9ca95c5b3ed45c14b7fe2739
SHA1

0bd1286fa5fd936a31a4514798daffa444ce8e12
SHA256

5a14099abd6fe4b396094db7f9911251b25cd57893e14f97a7e7c5f44337bc98
SHA512

acb056e217edef4639179b24193a454f7e5aade51c1cc972e0458fc23c0ad982323161ad37050a4d849641dbf84719707efdcf4c99ecdf413381e5a752413647
SSDEEP

1572864:5mhnD+9mK/LnkHD1LYrXatfLllR3RboTmxXlIgU/cNruKPZiv:6nD+UozkJLYrXajR4ElIgU/c5Qv

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000b00000002aa64-36.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2764-52-0x0000000000660000-0x000000000515D000-memory.dmp	autoit_exe
behavioral2/memory/2764-50-0x0000000000660000-0x000000000515D000-memory.dmp	autoit_exe
behavioral2/memory/2764-58-0x0000000000660000-0x000000000515D000-memory.dmp	autoit_exe
behavioral2/memory/2764-55-0x0000000000660000-0x000000000515D000-memory.dmp	autoit_exe
behavioral2/memory/2764-61-0x0000000000660000-0x000000000515D000-memory.dmp	autoit_exe
behavioral2/memory/2764-74-0x0000000000660000-0x000000000515D000-memory.dmp	autoit_exe
behavioral2/memory/2764-67-0x0000000000660000-0x000000000515D000-memory.dmp	autoit_exe
behavioral2/memory/2764-83-0x0000000000660000-0x000000000515D000-memory.dmp	autoit_exe
behavioral2/memory/2764-88-0x0000000000660000-0x000000000515D000-memory.dmp	autoit_exe
behavioral2/memory/2764-95-0x0000000000660000-0x000000000515D000-memory.dmp	autoit_exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b00000002aa64-36.dat	upx
behavioral2/memory/2764-44-0x000000000E060000-0x000000000E11B000-memory.dmp	upx
behavioral2/memory/2764-133-0x000000000E060000-0x000000000E11B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	888 Rat v1.2.6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	888 Rat v1.2.6.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe
2764	888 Rat v1.2.6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	888 Rat v1.2.6.exe

C:\Users\Admin\AppData\Local\Temp\888 Rat v1.2.6\888 Rat v1.2.6.exe
"C:\Users\Admin\AppData\Local\Temp\888 Rat v1.2.6\888 Rat v1.2.6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Splash8.jpg

Filesize
32KB

MD5
a3083356947cdfb053c7c63cec79e85f

SHA1
81d71adf137d5a8dff56843250578bb68333ba9a

SHA256
3e290e256bf19f56b233c42f19397807a83bde6cc792d6ea2f6c615cfc92ec1d

SHA512
820ac1ca3472f2356c7ad3c7443a431eea3f710679e6467f47ee8918e7c206767ff99401ced14dd3d012d930b1aad3225b9f9e1a7a9ee4303a8b204f05fdf766

Download Submit
C:\Users\Admin\AppData\Local\Temp\autB879.tmp

Filesize
239KB

MD5
29e1d5770184bf45139084bced50d306

SHA1
76c953cd86b013c3113f8495b656bd721be55e76

SHA256
794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307

SHA512
7cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.888ww.msstyles

Filesize
3.3MB

MD5
ea5d5266b8a7bcc8788c83ebb7c8c7d5

SHA1
3e9ac1ab7d5d54db9b3d141e82916513e572b415

SHA256
91ac4d215b8d90aef9a000900c9088d4c33d58c5f35a720a385a3f2d2299e5d1

SHA512
404b35fca478a1f489ec1af7be1df897190d7deb0cd8139c2c89d68c24fa377d904cf0c5e30c09ab448d74d87a47aaa3a872bf66a9bc9c124f52798320d34e60

Download Submit
memory/2764-44-0x000000000E060000-0x000000000E11B000-memory.dmp

Filesize
748KB

Download
memory/2764-51-0x0000000076330000-0x00000000763AC000-memory.dmp

Filesize
496KB

Download
memory/2764-54-0x0000000076330000-0x00000000763AC000-memory.dmp

Filesize
496KB

Download
memory/2764-53-0x0000000076330000-0x00000000763AC000-memory.dmp

Filesize
496KB

Download
memory/2764-57-0x0000000077B40000-0x0000000077B65000-memory.dmp

Filesize
148KB

Download
memory/2764-56-0x0000000076330000-0x00000000763AC000-memory.dmp

Filesize
496KB

Download
memory/2764-52-0x0000000000660000-0x000000000515D000-memory.dmp

Filesize
75.0MB

Download
memory/2764-60-0x0000000077B40000-0x0000000077B65000-memory.dmp

Filesize
148KB

Download
memory/2764-59-0x0000000076330000-0x00000000763AC000-memory.dmp

Filesize
496KB

Download
memory/2764-50-0x0000000000660000-0x000000000515D000-memory.dmp

Filesize
75.0MB

Download
memory/2764-62-0x0000000077B40000-0x0000000077B65000-memory.dmp

Filesize
148KB

Download
memory/2764-64-0x0000000077870000-0x000000007792F000-memory.dmp

Filesize
764KB

Download
memory/2764-63-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-58-0x0000000000660000-0x000000000515D000-memory.dmp

Filesize
75.0MB

Download
memory/2764-66-0x0000000076A90000-0x0000000076BDD000-memory.dmp

Filesize
1.3MB

Download
memory/2764-65-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-55-0x0000000000660000-0x000000000515D000-memory.dmp

Filesize
75.0MB

Download
memory/2764-68-0x00000000776B0000-0x000000007778F000-memory.dmp

Filesize
892KB

Download
memory/2764-73-0x0000000076A90000-0x0000000076BDD000-memory.dmp

Filesize
1.3MB

Download
memory/2764-72-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-71-0x00000000750F0000-0x0000000075172000-memory.dmp

Filesize
520KB

Download
memory/2764-70-0x0000000077870000-0x000000007792F000-memory.dmp

Filesize
764KB

Download
memory/2764-69-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-61-0x0000000000660000-0x000000000515D000-memory.dmp

Filesize
75.0MB

Download
memory/2764-82-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-81-0x00000000750F0000-0x0000000075172000-memory.dmp

Filesize
520KB

Download
memory/2764-79-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-78-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-84-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-87-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-86-0x00000000750F0000-0x0000000075172000-memory.dmp

Filesize
520KB

Download
memory/2764-74-0x0000000000660000-0x000000000515D000-memory.dmp

Filesize
75.0MB

Download
memory/2764-85-0x0000000077870000-0x000000007792F000-memory.dmp

Filesize
764KB

Download
memory/2764-77-0x00000000750F0000-0x0000000075172000-memory.dmp

Filesize
520KB

Download
memory/2764-76-0x0000000077870000-0x000000007792F000-memory.dmp

Filesize
764KB

Download
memory/2764-75-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-80-0x0000000077870000-0x000000007792F000-memory.dmp

Filesize
764KB

Download
memory/2764-67-0x0000000000660000-0x000000000515D000-memory.dmp

Filesize
75.0MB

Download
memory/2764-92-0x00000000750F0000-0x0000000075172000-memory.dmp

Filesize
520KB

Download
memory/2764-91-0x0000000077870000-0x000000007792F000-memory.dmp

Filesize
764KB

Download
memory/2764-90-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-89-0x00000000776B0000-0x000000007778F000-memory.dmp

Filesize
892KB

Download
memory/2764-83-0x0000000000660000-0x000000000515D000-memory.dmp

Filesize
75.0MB

Download
memory/2764-94-0x0000000076A90000-0x0000000076BDD000-memory.dmp

Filesize
1.3MB

Download
memory/2764-93-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-98-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-88-0x0000000000660000-0x000000000515D000-memory.dmp

Filesize
75.0MB

Download
memory/2764-105-0x00000000750F0000-0x0000000075172000-memory.dmp

Filesize
520KB

Download
memory/2764-106-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-104-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-95-0x0000000000660000-0x000000000515D000-memory.dmp

Filesize
75.0MB

Download
memory/2764-103-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-102-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-99-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-101-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-100-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-97-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-96-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-111-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-110-0x00000000770A0000-0x00000000776A2000-memory.dmp

Filesize
6.0MB

Download
memory/2764-109-0x00000000750F0000-0x0000000075172000-memory.dmp

Filesize
520KB

Download
memory/2764-114-0x0000000077870000-0x000000007792F000-memory.dmp

Filesize
764KB

Download
memory/2764-115-0x00000000750F0000-0x0000000075172000-memory.dmp

Filesize
520KB

Download
memory/2764-113-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-108-0x0000000075680000-0x00000000758A3000-memory.dmp

Filesize
2.1MB

Download
memory/2764-133-0x000000000E060000-0x000000000E11B000-memory.dmp

Filesize
748KB

Download