Overview

overview

10

Static

static

10

jshowgay.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jshowgay.exe

  • Size

    78KB

  • MD5

    a3311bf9b1e1a709c61f8f55b483ee77

  • SHA1

    805354ace1a1fb582a5241e7a04d9340ac2505d4

  • SHA256

    e2022e6c90940c5d53874ec0067fda1510054cf07658114a9c06f1bc5a54aaa7

  • SHA512

    b1b4c54d897ce7ac1f745bd70933e76aaf6944a8ec5378ca7f1969ed4e6c39a4e9ec97742572bb364720555e7aba33b88c2cd74e20e4682639980a1aadad9025

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+LPIC:5Zv5PDwbjNrmAE+jIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTAxMDkxMjc0Njg4OTU2NDI2MQ.GZIJaY._ieRsF-PRMbBKkDzN44d2WhhNys6nUjZKJsw8k

  • server_id

    1222035180903202936

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jshowgay.exe
    "C:\Users\Admin\AppData\Local\Temp\jshowgay.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2684
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4276 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2244
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:556

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2684-0-0x000001DAB42C0000-0x000001DAB42D8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2684-1-0x000001DACE9A0000-0x000001DACEB62000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2684-2-0x00007FF894640000-0x00007FF895101000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2684-3-0x000001DACED40000-0x000001DACED50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2684-4-0x000001DACFD00000-0x000001DAD0228000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2684-5-0x00007FF894640000-0x00007FF895101000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2684-6-0x000001DACED40000-0x000001DACED50000-memory.dmp

        Filesize

        64KB

        Download