Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-05-2024 14:23
Behavioral task
behavioral1
Sample
Xeroexecutor.exe
Resource
win10-20240404-en
windows10-1703-x64
5 signatures
150 seconds
General
-
Target
Xeroexecutor.exe
-
Size
78KB
-
MD5
a4b35f10a18f1c4360b00f828abbc2b5
-
SHA1
78c9ba86d8b3ca966b66ddb182c08268c79858a6
-
SHA256
b4ca7c2c6efafb1d7402096885dcae56f6fb3d845b758ed3c1cfef21792e1444
-
SHA512
47703141997cae647f52f692a62b38bc7543f739b5334f387f8753716cadb488898abeda21732b13c7153e0bcbc76a44c9d821f899c3b137892587538296bb3b
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+KPIC:5Zv5PDwbjNrmAE+WIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTIwNjA0MDA2MDI2NTM2NTUwNA.GStFBi.KFxuLXKvS3XujUPdFiaRzwKmwtmjd2uDdKdcmY
-
server_id
1237709600602722354
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 12 discord.com 17 raw.githubusercontent.com 25 raw.githubusercontent.com 3 discord.com 14 discord.com 15 discord.com 28 discord.com 4 discord.com 19 discord.com 21 discord.com 27 discord.com 8 discord.com 11 discord.com 18 raw.githubusercontent.com 26 discord.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2676 Xeroexecutor.exe Token: SeShutdownPrivilege 2676 Xeroexecutor.exe