rafelrat | 94be86d50af2ded5b2754cc2f0eeb8d26c44878b6835cb6292abf35df92bd4fa | Triage

Resubmissions

28-09-2024 21:15

240928-z4awcazbpf 10

24-03-2024 05:08

240324-fshx2acf2v 7

24-03-2024 02:46

240324-c9m2jabd5s 7

Sharing

General

Target

BlackMart.apk
Size

8.5MB
Sample

240928-z4awcazbpf
MD5

1f51442ac69949a896f13e42c4d7254a
SHA1

dac18bf7ac2dae640c064fe2563e4e32011144b4
SHA256

94be86d50af2ded5b2754cc2f0eeb8d26c44878b6835cb6292abf35df92bd4fa
SHA512

aaaaecb86f62c6602876a728101dc1604b57b887d788cf3dde66573a101be96301b80be3cbea21eaec9bf3021b335c0bb8964c73e7e5fc95d06cc4d382bec089
SSDEEP

196608:nxgE8qnpvtBIH7qu3G7roKx2NIXfT2+dMwW+dMwI+dMwE+dMww+dMws:nxOeHIH7R3G7rp4k2qMwWqMwIqMwEqMj

Score

10^/10

rafelrat android collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

rafelrat

C2

https://kami1234.000webhostapp.com/public/commands.php

Targets

- Target
  
  BlackMart.apk
- Size
  
  8.5MB
- MD5
  
  1f51442ac69949a896f13e42c4d7254a
- SHA1
  
  dac18bf7ac2dae640c064fe2563e4e32011144b4
- SHA256
  
  94be86d50af2ded5b2754cc2f0eeb8d26c44878b6835cb6292abf35df92bd4fa
- SHA512
  
  aaaaecb86f62c6602876a728101dc1604b57b887d788cf3dde66573a101be96301b80be3cbea21eaec9bf3021b335c0bb8964c73e7e5fc95d06cc4d382bec089
- SSDEEP
  
  196608:nxgE8qnpvtBIH7qu3G7roKx2NIXfT2+dMwW+dMwI+dMwE+dMww+dMws:nxOeHIH7R3G7rp4k2qMwWqMwIqMwEqMj
Score

10^/10

rafelrat collection credential_access discovery evasion infostealer persistence rat trojan impact
- rafelrat
  RafelRAT is an open source Android RAT.
  trojan infostealer rat rafelrat
- Checks if the Android device is rooted.
  evasion
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Legitimate hosting services abused for malware hosting/C2
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
- Requests accessing notifications (often used to intercept notifications before users become aware).
  collection credential_access
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Privilege Escalation

Defense Evasion

Foreground Persistence

Virtualization/Sandbox Evasion

System Checks

Credential Access

Access Notifications

Clipboard Data

Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Access Notifications

Clipboard Data

Command and Control

Exfiltration

Impact

Data Manipulation

Transmitted Data Manipulation

Tasks

static1

behavioral1

rafelratcollectioncredential_accessdiscoveryevasioninfostealerpersistencerattrojan

behavioral2

rafelratcollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

behavioral3

rafelratcollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan