Analysis
-
max time kernel
29s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-04-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
Discord token grabber/TokenPuller V.3.1 (setup) - by hokyz.exe
Resource
win10-20220414-en
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Discord token grabber/TokenPuller V.3.1 (setup) - by hokyz.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
Discord token grabber/TokenPuller V.3.1 (setup) - by hokyz.exe
-
Size
30.1MB
-
MD5
ba32786e2bcde7e3d648e3fb7eb9e29c
-
SHA1
298561178fea0eda9cdbf59f93928b74b475dea9
-
SHA256
0d8833793a712d4af7c832fbbb70dd171d15de09e5f472fa351294eba746baa1
-
SHA512
e8ec4f2ce32cc583ec2365702ffd0998e57d5212263196e96bb2e3f5b13353f483fc347671dc7c13fa8d9b3f195beec1956ed0fc1b45b87acd7efa103956f54f
Score
6/10
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tasklist.exedescription pid process Token: SeDebugPrivilege 3192 tasklist.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
TokenPuller V.3.1 (setup) - by hokyz.execmd.exedescription pid process target process PID 968 wrote to memory of 1344 968 TokenPuller V.3.1 (setup) - by hokyz.exe cmd.exe PID 968 wrote to memory of 1344 968 TokenPuller V.3.1 (setup) - by hokyz.exe cmd.exe PID 1344 wrote to memory of 3192 1344 cmd.exe tasklist.exe PID 1344 wrote to memory of 3192 1344 cmd.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Discord token grabber\TokenPuller V.3.1 (setup) - by hokyz.exe"C:\Users\Admin\AppData\Local\Temp\Discord token grabber\TokenPuller V.3.1 (setup) - by hokyz.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken