Extracted

• • Target

    XBinderOutput.exe

  • Size

    137KB

  • MD5

    4ab779755561a8482dddbe1abad37ad1

  • SHA1

    e23831bb043fe6993ef738f39e53083aad249d59

  • SHA256

    6ee3c0bd479790df923c06fa453b9dbd341533da9842eb8cdfeaea4c25f124aa

  • SHA512

    8ef9b56e8bd56e3d8ddb0e87091701fd142700e9d35e2fa8f92843bff9b176aaf0f7d1bdcfdb2497562b94ad0d5b9be25dcc13e744bcf567200f870930bda734

  • SSDEEP

    3072:x69aH7fFuyMf1pX9VHQy3+T9V6ys2IEEUkJ284w9Dd39NjpY:s9aHjFF0zB3+TDN+Jkw9R397

  Score

  10^/10

  discordratexecutionpersistenceratrootkitstealer

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1