Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 12:13
Behavioral task
behavioral1
Sample
NigaMafia's Boss.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
NigaMafia's Boss.exe
Resource
win10v2004-20240226-en
General
-
Target
NigaMafia's Boss.exe
-
Size
78KB
-
MD5
21885f673ab1e5656712d1946e139a95
-
SHA1
af4b0886b99640a98fde66638a08e21fe6acda52
-
SHA256
60f1773412433537eb8d178603df50ed19b70e53bcfccac1265e55af704de749
-
SHA512
324c0cf0e7cd6d378f32d7e539ffd2f25afe5a487f0d1bedc864e58b0f7c3d66f00dd87aa53c915d745694dc2c1a324e97803a5c42276894b32eff17c6d6979c
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+TPIC:5Zv5PDwbjNrmAE+LIC
Malware Config
Extracted
discordrat
-
discord_token
MTIwNzMzNzU2MDQ2MDc2MzE3Ng.GN_Yaj.0dKAdTpvE5EiY68CCdI2lKg80pcq5NJa3CMGIE
-
server_id
1182383459306586163
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 21 discord.com 114 discord.com 117 discord.com 168 discord.com 206 discord.com 208 discord.com 34 discord.com 42 discord.com 170 discord.com 213 discord.com 215 discord.com -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3436 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2180 NigaMafia's Boss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2180 wrote to memory of 1444 2180 NigaMafia's Boss.exe 105 PID 2180 wrote to memory of 1444 2180 NigaMafia's Boss.exe 105 PID 2180 wrote to memory of 4548 2180 NigaMafia's Boss.exe 107 PID 2180 wrote to memory of 4548 2180 NigaMafia's Boss.exe 107 PID 4548 wrote to memory of 3436 4548 cmd.exe 109 PID 4548 wrote to memory of 3436 4548 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NigaMafia's Boss.exe"C:\Users\Admin\AppData\Local\Temp\NigaMafia's Boss.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ip config2⤵PID:1444
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ipconfig2⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
PID:3436
-
-