Overview

overview

10

Static

static

10

sandali_sc....2.exe

windows10-1703-x64

10

Resubmissions

24/01/2024, 11:29

240124-nl3mvshba9 10

24/01/2024, 09:36

240124-lk1e1afbf3 10

24/01/2024, 09:06

240124-k2saaaefbp 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    sandali_scripts_0.2.exe

  • Size

    78KB

  • Sample

    240124-nl3mvshba9

  • MD5

    53e94367562141c71308f160d64ac606

  • SHA1

    d473a5dd5a50bbef57f4dc08f30a8e7daa44a70a

  • SHA256

    705da24f116ae885cfc19592f47dfd243fc32c294b56e2a599f11391af8cf808

  • SHA512

    e948a910a95058dafe8bd8bcf7bfc531d919805de06fc529b7fad9cd7169fb06659782d78d160ce6a226642c4b4139d18d27a94a3ac3cc162a62b2d8b8a9d0cb

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+fPIC:5Zv5PDwbjNrmAE+nIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTE5OTY0MDMyNzUzMTgxMDg0Ng.GJp4Tt.25gqYCe3ycDlkT_8sVvroiDlkiIc6StLiHaLV0

  • server_id

    1197802974894886943

Targets

    • Target

      sandali_scripts_0.2.exe

    • Size

      78KB

    • MD5

      53e94367562141c71308f160d64ac606

    • SHA1

      d473a5dd5a50bbef57f4dc08f30a8e7daa44a70a

    • SHA256

      705da24f116ae885cfc19592f47dfd243fc32c294b56e2a599f11391af8cf808

    • SHA512

      e948a910a95058dafe8bd8bcf7bfc531d919805de06fc529b7fad9cd7169fb06659782d78d160ce6a226642c4b4139d18d27a94a3ac3cc162a62b2d8b8a9d0cb

    • SSDEEP

      1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+fPIC:5Zv5PDwbjNrmAE+nIC

    Score
    10/10
    discordratpersistenceratrootkitstealer

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks