888rat | d9626081d2bf9a172e48c533a3a090ea1bea072da069cefd9f0f8df11f68f1b4 | Triage

Submit
Reports

Overview

overview

Static

static

888 Rat v1....6.exe

windows10-2004-x64

Sharing

General

Target

888 Rat v1.2.6.zip
Size

74.8MB
Sample

240630-xfnq7asemc
MD5

ed677a2cbd23d1b2e38bab0290a01602
SHA1

375c12f74b1f5371d0d00aa4eed090b17f79ab44
SHA256

d9626081d2bf9a172e48c533a3a090ea1bea072da069cefd9f0f8df11f68f1b4
SHA512

45c84eaf9729b56749497d8097d1718938d7c4733cf9d743170260086944c0f42fdaa316bec7c35957f80c9abeecc1af786793913dee5324788357ed0b16ec22
SSDEEP

1572864:DrABerxu4LBvOFD63EdvEJTNnzht3LOPQLVTUEQH4l30o1zWNL:DWkxu+1OU3EdvEfHc2TUEQHidQNL

Score

10^/10

888rat quasar venomrat office04 evasion infostealer rat rootkit spyware stealer trojan upx

Static task

static1

5 signatures

Behavioral task

behavioral1

Sample

888 Rat v1.2.6/888 Rat v1.2.6/888 Rat v1.2.6.exe

Resource

win10v2004-20240226-en

888rat quasar venomrat office04 evasion infostealer rat rootkit spyware stealer trojan upx

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

67.213.221.18:7812

Mutex

VNM_MUTEX_B0sqoh0d48yuflweio

Attributes

encryption_key
NEOKSRafQp0TVRXpXlww
install_name
Windows Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
fgiufbvifdhg9ihfibnfdi
subdirectory
Windows Services

Targets

- Target
  
  888 Rat v1.2.6/888 Rat v1.2.6/888 Rat v1.2.6.exe
- Size
  
  75.5MB
- MD5
  
  7b698ac4d64d1ee750e4c413467d5bc2
- SHA1
  
  04bc13c495da113feea6be33706614da8a45058c
- SHA256
  
  de45c788a3c029874036f20f97a8a7c30d1ae6028c14896eb33a45c05b7fb9bb
- SHA512
  
  db9ae78b42406eb6fc1ac0c3c7738ae22a48b2ace9931ee4ac80e5d95d3ecff6d8cd52a5d4601f3361b8c96d4a97a61ad30b2696dffc38a9e77132e3f1e35a32
- SSDEEP
  
  1572864:fmhnD+9mK/LnkHD1LYrXatfLllR3RboTmxXlIgU/cNruKPZiv:YnD+UozkJLYrXajR4ElIgU/c5Qv
Score

10^/10

888rat quasar venomrat office04 evasion infostealer rat rootkit spyware stealer trojan upx
- 888RAT
  888RAT is an Android remote administration tool.
  trojan infostealer rat 888rat
- Android 888 RAT payload
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

888ratquasarvenomratoffice04evasioninfostealerratrootkitspywarestealertrojanupx

© 2018-2024

Terms | Privacy