ID | X0044 |
Aliases | None |
Platforms | Windows, Linux, macOS |
Year | 2020 |
Associated ATT&CK Software | None |
ElectroRAT is used to steal cryptocurrency from wallets.
Name | Use |
---|---|
Execution::User Execution (T1204) | ElectroRat makes the user execute the malware. [1] |
Command and Control::Web Service (T1102) | EletroRat uses HTTP for C&C and exfiltration. [1] |
Execution::Command and Scripting Interpreter (T1059) | ElectroRat uses Python to embed additional binares. [1] |
Discovery::System Information Discovery (T1082) | ElectroRat detects the OS to determine which plugins to download. [1] |
Persistence::Boot or Logon Autostart Execution (T1547) | ElectroRat enables auto start on bootup. [1] |
Name | Use |
---|---|
Collection::Input Capture (E1056) | ElectroRat monitors keyboard and mouse activity to determine whether the machine is in use. [1] |
Discovery::File and Directory Discovery (E1083) | ElectroRat looks for wallets to steal cryptocurrency [1] |
Name | Use |
---|---|
Execution::Install Additional Program (B0023) | Upon execution, ElectroRat downloads additional executables. [1] |
Collection::Cryptocurrency (B0028) | ElectroRat examines the disk for cryptocurrency addresses and keys to steal money from a wallet. It compromises multiple currencies, including Monaro, Doegecoin, Ethereum, Litecoin, and Bitcoin. [1] |
Command and Control::C2 Communication (B0030) | ElectroRat communicates to a Pastebin site via HTTP. [1] |
Command-and-Control Servers
- 193.38.55.131
- 193.38.55.4
- 213.226.100.140
- kintum.io
- daopoker.com
- jamm.to
- pastebin.com/raw/r12wBrC7
- pastebin.com/raw/DF8Gikrk
- pastebin.com/raw/bfQiiqyv
- pastebin.com/raw/UbTZx6kd
- pastebin.com/raw/U45SvK4K
- pastebin.com/raw/zrZA4L3e
SHA256 Hashes
- 170cb5ea1a6b4af3c27358ba267a1309ed5118481619fc874f717262cb91fb77
- 881be95a9632fa44deeeca23e4e19390d600ad817b2f66671d3f21453a16c7b7
- e9b83d5cdefd4486b32a927d7505cdeebb43e6977759ba069d9373e46ca7d0f2
- e547872761d81c3afc9c2a42cac3931e2a1defc2c56a0a3c57b28ea91e7686cd
- 17b0b1a9271683f30e5bfd92eec9c0a917755f54060ef40d9bd0f12e927f540f
- 5c884be3635eb55ce02e141d6fb07f760b6dbcace54f2217c69f287292ce59f6
[1] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/