Analysis
-
max time kernel
300s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
25/02/2024, 13:24
General
-
Target
-
Size
302KB
-
MD5
ee6160c1a4a92c9660402f147b560431
-
SHA1
045c5019a2557de570a7ffc0270d4b4939bbf855
-
SHA256
55897406bcc2b5c3ba05b57e97bbc69a2eb5a2941b90a2982e2d3c89d57fbfb9
-
SHA512
64189d777a33eedbac2979af87e196e099565b0ca53f842c74bf2826d3c11a1aeaed82823e9089ac8e28e8b0075f6333e64062c6e92ff2696ffd4b88d29ea811
-
SSDEEP
6144:vCGaECnpAoDO1A8dg3iTPJLMfgQZycxF+Ii:6GHCnaomAEg3uPdkgWycxF+t
Malware Config
Extracted
discordrat
-
discord_token
MTIxMDQ1NjY0ODQ1MjQxNTUwOA.Gh0y7q.0U1kmcgYc3Agu4PPdar0sgV_bW8X8ZoS9NlBm8
-
server_id
1210454330054807572
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD516d5a3ec9eb1dab4643ec0337b8d9a0f
SHA171e5fce8d3b87f85c1de40e785ffaf15fbf49c43
SHA256335aa65392bdd960f15fa587ebe629e9a6f42f8ee1b7e7a7f77ef6dd967b6c9a
SHA51257a9347363e218d19d616b63d45bb3cc0bdd482cd5191622fa753a73bdaa9ddf341cd9d274501062bba8aff68590eebe29313c1d5e4c116b18ddcefa24923704
-
Filesize
96KB
-
Filesize
1.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB