samorat | fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46

General

Target

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
Size

1.3MB
MD5

2042fdc08ed48544a98307aec4610251
SHA1

50a6c64a62347c6c87abb65d04803ff23832a7e8
SHA256

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
SHA512

b102fc8105b0a7cca5c33711e83af818dd9c37ff377d252edec69cbb05052387013426bbce38650c0360fb8c94f4796a8232b93f4c5d438caf031a50c4cae591

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 16 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/108-18-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-19-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-20-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-21-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-22-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-23-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-25-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-24-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-27-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-26-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-28-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-29-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-30-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-31-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-32-0x0000000000000000-mapping.dmp	disable_win_def
behavioral1/memory/108-33-0x0000000000000000-mapping.dmp	disable_win_def

SamoRAT
SamoRAT is a .NET malware used to receive and execute different commands on the infected system.
trojan samorat

ServiceHost packer 16 IoCs

Detects ServiceHost packer used for .NET malware

resource	yara_rule
behavioral1/memory/108-18-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-19-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-20-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-21-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-22-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-23-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-25-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-24-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-27-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-26-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-28-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-29-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-30-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-31-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-32-0x0000000000000000-mapping.dmp	servicehost
behavioral1/memory/108-33-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 2 IoCs

pid	Process
1428	ProAlts.xyz Token Generator.exe
108	WinServices.exe

Loads dropped DLL 7 IoCs

pid	Process
1296	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
1296	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1744	108	WerFault.exe	25

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
108	WinServices.exe
108	WinServices.exe
108	WinServices.exe
108	WinServices.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	108	WinServices.exe
Token: SeDebugPrivilege	1744	WerFault.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1428	1296	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	24
PID 1296 wrote to memory of 1428	1296	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	24
PID 1296 wrote to memory of 1428	1296	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	24
PID 1296 wrote to memory of 1428	1296	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	24
PID 1296 wrote to memory of 108	1296	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	25
PID 1296 wrote to memory of 108	1296	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	25
PID 1296 wrote to memory of 108	1296	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	25
PID 1296 wrote to memory of 108	1296	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	25
PID 108 wrote to memory of 1856	108	WinServices.exe	28
PID 108 wrote to memory of 1856	108	WinServices.exe	28
PID 108 wrote to memory of 1856	108	WinServices.exe	28
PID 108 wrote to memory of 1856	108	WinServices.exe	28
PID 1856 wrote to memory of 1788	1856	cmd.exe	30
PID 1856 wrote to memory of 1788	1856	cmd.exe	30
PID 1856 wrote to memory of 1788	1856	cmd.exe	30
PID 1856 wrote to memory of 1788	1856	cmd.exe	30
PID 108 wrote to memory of 1744	108	WinServices.exe	31
PID 108 wrote to memory of 1744	108	WinServices.exe	31
PID 108 wrote to memory of 1744	108	WinServices.exe	31
PID 108 wrote to memory of 1744	108	WinServices.exe	31

C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
"C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296
- C:\ProgramData\ProAlts.xyz Token Generator.exe
  "C:\ProgramData\ProAlts.xyz Token Generator.exe"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\ProgramData\WinServices.exe
  "C:\ProgramData\WinServices.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 1612
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-13-0x0000000000B80000-0x0000000000B91000-memory.dmp

Filesize
68KB

Download
memory/1744-34-0x00000000027E0000-0x00000000027F1000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads