Dynamic Analysis - An Unknown RAT

In this post, I am going to analyze a RAT downloaded from the HuskyHacks GitHub page.

This is the information I have on the file before analyzing.

I have a txt file saying that the IR team suspects this malware might have some command execution capabilities and that I should proceed with basic dynamic analysis,

There's also a txt file of the hashes they pulled from the malware.

But before I detonate it I will extract the strings using floss:

And after going through the strings it looks like I've found some useful ones,

Now to run the malware and start the analysis.

Initial Detonation:

Wireshark packet analysis:

Potential file download: msdcorelib.exe

Host Based Indicators

Persistence Binary

TCP socket in listening state:

Base64 encoded data from socket on TCP 5555:

Command injection capability:

Conclusion:

It looks like the file is indeed a Remote Access Trojan.

if the trojan is executed without internet access it outputs an error as we see in the initial detonation, and then it will delete itself from the disk.

however, if you use "inetsim" you can see the RAT tries to send an HTTP GET request to a certain address and download a second-stage payload called "mscordll.exe" which hides itself in the startup folder to be executed when the machine is powered on.

I hope you found this post useful, thank you for reading.