Analysis

  • max time kernel
    125s
  • max time network
    126s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-05-2024 14:23

General

  • Target

    Xeroexecutor.exe

  • Size

    78KB

  • MD5

    a4b35f10a18f1c4360b00f828abbc2b5

  • SHA1

    78c9ba86d8b3ca966b66ddb182c08268c79858a6

  • SHA256

    b4ca7c2c6efafb1d7402096885dcae56f6fb3d845b758ed3c1cfef21792e1444

  • SHA512

    47703141997cae647f52f692a62b38bc7543f739b5334f387f8753716cadb488898abeda21732b13c7153e0bcbc76a44c9d821f899c3b137892587538296bb3b

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+KPIC:5Zv5PDwbjNrmAE+WIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIwNjA0MDA2MDI2NTM2NTUwNA.GStFBi.KFxuLXKvS3XujUPdFiaRzwKmwtmjd2uDdKdcmY

  • server_id

    1237709600602722354

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Downloads MZ/PE file
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xeroexecutor.exe
    "C:\Users\Admin\AppData\Local\Temp\Xeroexecutor.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2676-0-0x00000281E93F0000-0x00000281E9408000-memory.dmp

    Filesize

    96KB

  • memory/2676-1-0x00007FFA5EE13000-0x00007FFA5EE14000-memory.dmp

    Filesize

    4KB

  • memory/2676-2-0x00000281EBAB0000-0x00000281EBC72000-memory.dmp

    Filesize

    1.8MB

  • memory/2676-3-0x00007FFA5EE10000-0x00007FFA5F7FC000-memory.dmp

    Filesize

    9.9MB

  • memory/2676-4-0x00000281EC3B0000-0x00000281EC8D6000-memory.dmp

    Filesize

    5.1MB

  • memory/2676-5-0x00007FFA5EE13000-0x00007FFA5EE14000-memory.dmp

    Filesize

    4KB

  • memory/2676-6-0x00007FFA5EE10000-0x00007FFA5F7FC000-memory.dmp

    Filesize

    9.9MB

  • memory/2676-7-0x00000281EBE80000-0x00000281EC14A000-memory.dmp

    Filesize

    2.8MB

  • memory/2676-8-0x00000281EB000000-0x00000281EB00E000-memory.dmp

    Filesize

    56KB