Analysis
-
max time kernel
76s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 18:07
Behavioral task
behavioral1
Sample
tszpullertool.exe
Resource
win10v2004-20240226-en
5 signatures
150 seconds
General
-
Target
tszpullertool.exe
-
Size
78KB
-
MD5
490e1d60373872243f705bdf46aab56a
-
SHA1
066dc2cd21f2289e6bf52e374c93480fa165d8f8
-
SHA256
a71b6a07ff699594a51120bd9634c46b7eafef39d43c1139439ac846280fd32a
-
SHA512
d76824c27a16e39ee6d92a32b6db3f70c0d1d026c934a690ab087851df993fc7197027dc8c077db6fc1eb660afb0eed71ef2d43d1d117b81885b52d1568dbeb6
-
SSDEEP
1536:M2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+rPI2:MZv5PDwbjNrmAE+DI2
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTIwNjYzMDA2MDg1NDA4MzYzNA.GvVyvp.mAZUqpiSErc4n9lJ5dxHXEniOy_EsnBOiN0dn4
-
server_id
1217894352093708318
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 16 discord.com 65 discord.com 159 raw.githubusercontent.com 15 discord.com 34 discord.com 66 discord.com 157 raw.githubusercontent.com 160 discord.com 162 discord.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3020 tszpullertool.exe Token: SeShutdownPrivilege 3020 tszpullertool.exe