Overview

overview

10

Static

static

10

888_RAT.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    888_RAT.exe

  • Size

    22.0MB

  • Sample

    241221-j7ze4swpaz

  • MD5

    54c6dc01ba6c748106085665ff8ad61b

  • SHA1

    f75d970df21d277d39656aeff50752d415b47c6e

  • SHA256

    27e3e3350715b83a2a3059c008517e1e97b2531557aaefd3b4cee38f62039b1c

  • SHA512

    9b5498b40de25dc788a728979518e3b6edcc1f0a0444f96bb19c68f91036b552b248d78b5f783ee5247eb7f7bb1272b4e4edf3f2c6650674c16b72593eec7f8d

  • SSDEEP

    393216:AP1PWZEdKBGwPLApMDvm9YL8mp3YsxXUSqqEDPqwTOfxUbEe2pjEgSl7ltlx:qUAKZLEym923Ysx2qeoS1mjr4Pf

Score
10/10
888ratdiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationrattrojanupx

Malware Config

Targets

    • Target

      888_RAT.exe

    • Size

      22.0MB

    • MD5

      54c6dc01ba6c748106085665ff8ad61b

    • SHA1

      f75d970df21d277d39656aeff50752d415b47c6e

    • SHA256

      27e3e3350715b83a2a3059c008517e1e97b2531557aaefd3b4cee38f62039b1c

    • SHA512

      9b5498b40de25dc788a728979518e3b6edcc1f0a0444f96bb19c68f91036b552b248d78b5f783ee5247eb7f7bb1272b4e4edf3f2c6650674c16b72593eec7f8d

    • SSDEEP

      393216:AP1PWZEdKBGwPLApMDvm9YL8mp3YsxXUSqqEDPqwTOfxUbEe2pjEgSl7ltlx:qUAKZLEym923Ysx2qeoS1mjr4Pf

    Score
    10/10
    888ratdiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationrattrojanupx

    • 888RAT

      888RAT is an Android remote administration tool.

      trojaninfostealerrat888rat

    • 888Rat family

      888rat

    • Android 888 RAT payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies Windows Firewall

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks