General

  • Target

    builder.exe

  • Size

    6.0MB

  • Sample

    240504-wmw6gagf22

  • MD5

    134be258f7a02f799edc8af3019cbb08

  • SHA1

    f7562a7b3fd30dbb0e6d5585e34fae56e3c6463d

  • SHA256

    401eb3c4672a4643be382386e6a38055c182b62a6f10f0bc21dbbd80de1ffdfa

  • SHA512

    eaeaeae51c6f0f496eaad82a90e5015cc55bd8c0cac3d967f7c9b0e64fe21af7cf81126f1bb0044837f3fc7b908cffda22fe85db0194dafc9584464c0a1ab63b

  • SSDEEP

    98304:Hr77EtdFBCd9amaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4R0OuAK09royi:Hr7yFImeN/FJMIDJf0gsAGK4RXuAK0xu

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzNTQ4MjEyMzQxNTE5MTYxMw.G9mfvQ.Qn9FuOU6-jgfsW84jIx2GRu-CPfzoTMTt4xf6w

  • server_id

    1235482558779621386

Targets

    • Target

      builder.exe

    • Size

      6.0MB

    • MD5

      134be258f7a02f799edc8af3019cbb08

    • SHA1

      f7562a7b3fd30dbb0e6d5585e34fae56e3c6463d

    • SHA256

      401eb3c4672a4643be382386e6a38055c182b62a6f10f0bc21dbbd80de1ffdfa

    • SHA512

      eaeaeae51c6f0f496eaad82a90e5015cc55bd8c0cac3d967f7c9b0e64fe21af7cf81126f1bb0044837f3fc7b908cffda22fe85db0194dafc9584464c0a1ab63b

    • SSDEEP

      98304:Hr77EtdFBCd9amaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4R0OuAK09royi:Hr7yFImeN/FJMIDJf0gsAGK4RXuAK0xu

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      ����95.pyc

    • Size

      857B

    • MD5

      a18479c820acaefcbea0e34ba21bd003

    • SHA1

      c39fe777995a4a82737a5c2cbf442267440d6aca

    • SHA256

      2774428e6900d428a5a954c598a24ca1771a55f4ff153ef630e2d510babcab20

    • SHA512

      0771d79fc41a2568bdf567b4bea0c7d3918480217f417869dc4d37caa1d73258d9bc10061e8bf2756eecab8b3a0b700357977c22df042c47fc5fdf18aaf42a0b

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks