Resubmissions

13-05-2024 22:09

240513-124ajsfe9y 10

13-05-2024 22:01

240513-1xljyafd4w 10

General

  • Target

    Robloxscript.exe

  • Size

    6.0MB

  • Sample

    240513-124ajsfe9y

  • MD5

    1647c032f8e2c490936d578ae193e799

  • SHA1

    a3c57bc5a1021bd1f34eb3f307208b189c8fd9d4

  • SHA256

    99102d69babf9f72ab79ccb7fa3f3c3f33ff9963300c739557d3de7ec847b36d

  • SHA512

    355cd1e95be9c4bfba6302246e25a4de78e63945261724be54faa1fdd05604614e62eb50cef0dd9b4856074f6ffb7c91c9f3851475c564ddf2fae9fc5c3437b9

  • SSDEEP

    98304:Ur+yFEtdFBgfamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4R4BMgUd3mszwF:Ur+PFheN/FJMIDJf0gsAGK4R4ug80F

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzODY2NDMwNzM2NTkwODUyMQ.GDvhgA.XMPH7BZJagiRxu6AdE_1g9HRnMxqmrvHaYqdNA

  • server_id

    1238663060147667046

Targets

    • Target

      Robloxscript.exe

    • Size

      6.0MB

    • MD5

      1647c032f8e2c490936d578ae193e799

    • SHA1

      a3c57bc5a1021bd1f34eb3f307208b189c8fd9d4

    • SHA256

      99102d69babf9f72ab79ccb7fa3f3c3f33ff9963300c739557d3de7ec847b36d

    • SHA512

      355cd1e95be9c4bfba6302246e25a4de78e63945261724be54faa1fdd05604614e62eb50cef0dd9b4856074f6ffb7c91c9f3851475c564ddf2fae9fc5c3437b9

    • SSDEEP

      98304:Ur+yFEtdFBgfamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4R4BMgUd3mszwF:Ur+PFheN/FJMIDJf0gsAGK4R4ug80F

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks