Overview

overview

10

Static

static

10

PSC-PaySaf...or.exe

windows10-1703-x64

10

Resubmissions

24/02/2024, 20:02 UTC

240224-yscecsdc27 10

24/02/2024, 20:01 UTC

240224-yr2ymaea5s 10

24/02/2024, 19:56 UTC

240224-yntsvadb23 10

Analysis

  • max time kernel
    83s
  • max time network
    79s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24/02/2024, 19:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PSC-PaySafeCard Generator.exe

  • Size

    217KB

  • MD5

    e3cf82e6ef4d500a5b4bb3d0c9ba2e6e

  • SHA1

    968952165941e4ae6242b77c52ff4529a7763468

  • SHA256

    60728dff05c95a07e870ff5db3e7c509e2a83c7606d9cedd465e3556eb801a00

  • SHA512

    190da0cc9499d87ef615e6b36f614df240a3e86d3bfb6ea2952ee407e0a45a2878bd35d2ce09223372bd3644fddd2929378a034db3eb6d5163e43d8e3806b6fe

  • SSDEEP

    3072:QZv5PDwbjNrmAE+0IIpZ4RDlzKNpjAMt+lgJIft3AXsV+gE6+ui+NH9QlR:kv5PDwbBrwIIpNpjP+QZ6+uLN9

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTE4ODgxNjUwNzA0MDQ0MDM2Mg.Gssdgm.Y-c4vKU30hG0gZbFd7kORZFoNCjnRRZbRdGrJ8

  • server_id

    1188815612844191764

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PSC-PaySafeCard Generator.exe
    "C:\Users\Admin\AppData\Local\Temp\PSC-PaySafeCard Generator.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:364

Network

  • flag-us
    DNS
    gateway.discord.gg
    PSC-PaySafeCard Generator.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
    Response
    gateway.discord.gg
    IN A
    162.159.130.234
    gateway.discord.gg
    IN A
    162.159.134.234
    gateway.discord.gg
    IN A
    162.159.133.234
    gateway.discord.gg
    IN A
    162.159.136.234
    gateway.discord.gg
    IN A
    162.159.135.234
  • flag-us
    GET
    https://gateway.discord.gg/?v=9&encording=json
    PSC-PaySafeCard Generator.exe
    Remote address:
    162.159.130.234:443
    Request
    GET /?v=9&encording=json HTTP/1.1
    Connection: Upgrade,Keep-Alive
    Upgrade: websocket
    Sec-WebSocket-Key: JVBYPNklJmV0dAJuzbrOKQ==
    Sec-WebSocket-Version: 13
    Host: gateway.discord.gg
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Sat, 24 Feb 2024 19:56:29 GMT
    Connection: upgrade
    sec-websocket-accept: M6GNpPfEciG2mtXoI7ceRJGhAm8=
    upgrade: websocket
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vUO8ikdJGD%2FDdUrIp24WPw%2BW4%2FcuTvRYdJ5BJSdhA%2FIq75uODac6rkex0RsXDi0%2BP7NNSGauiSqZqP0e2eZWKpeIrfhp2ozWWRNI96m1yEF%2F%2FHuEzhKj4BOUTUgPcXCmzeZmZg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 85aa45abc8c952db-LHR
  • flag-us
    DNS
    234.130.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    234.130.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 162.159.130.234:443
    https://gateway.discord.gg/?v=9&encording=json
    tls, http
    PSC-PaySafeCard Generator.exe
    1.2kB
     4.2kB
     11
    13

    HTTP Request

    GET https://gateway.discord.gg/?v=9&encording=json

    HTTP Response

    101
  • 8.8.8.8:53
    gateway.discord.gg
    dns
    PSC-PaySafeCard Generator.exe
    64 B
     144 B
     1
    1

    DNS Request

    gateway.discord.gg

    DNS Response

    162.159.130.234
    162.159.134.234
    162.159.133.234
    162.159.136.234
    162.159.135.234

  • 8.8.8.8:53
    234.130.159.162.in-addr.arpa
    dns
    74 B
     136 B
     1
    1

    DNS Request

    234.130.159.162.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/364-0-0x000001FDC5DF0000-0x000001FDC5E2A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/364-1-0x000001FDE0440000-0x000001FDE0602000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/364-2-0x00007FFEE58E0000-0x00007FFEE62CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/364-3-0x000001FDE02F0000-0x000001FDE0300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/364-4-0x000001FDE0C40000-0x000001FDE1166000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/364-5-0x00007FFEE58E0000-0x00007FFEE62CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/364-6-0x000001FDE02F0000-0x000001FDE0300000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.