Overview

overview

10

Static

static

10

spoofer/spoofer.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    spoofer.rar

  • Size

    26KB

  • Sample

    240517-ned1xsfb4s

  • MD5

    fc2a2ef98fc4876c0ff4df059d4eefc6

  • SHA1

    48085f379a0601eb521dc7648f58de1b515bbb0a

  • SHA256

    dc303bf4fc27ed283589c456d5a5b40e9a0bc97ad9e3fcf9c603998491743248

  • SHA512

    a7a0008a1f27a9bc11b666cfb2c079fbdadf7f587c3b76f3e41179e4fd4c5ba19c556ec81bcff8df56ebca7dc986bf477b9e392a48d1101bce15fd7a05f3cbf3

  • SSDEEP

    384:5sYejZmEmE7KXX6cQyztVXgrYINy9HpxDpNYyHkgs+2tjPsQOYkb/TErqO085Qmn:5sxl/66Wub6b1s+SzsQkIqUQnW

Score
10/10
discordratevasionexecutionpersistenceratrootkitspywarestealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0MDcyOTAxNzg4ODUzODY1NA.Grdfmd.TkiEwQyP2bUA1RIGNTE-wkWpyVRP_iGf-NHIsI

  • server_id

    1240883770677264404

Targets

    • Target

      spoofer/spoofer.exe

    • Size

      78KB

    • MD5

      a588fc073017f17b9538be0d7950fe8b

    • SHA1

      db71c1ad51e13f38c5342fa2c84fa45221176839

    • SHA256

      5b25158dadc5ac21c99c100eb9c49f86898dc19959e045f131414ee1e52fe2f1

    • SHA512

      08bdf70710d8e5330f824f971a5585e0b2b3a6516c0a59f5c00fe175b681ecbf25a354c64e1bcb9cb1d5fd0c6401e765355c416e0b860e8da0a4ff72e32ca1f5

    • SSDEEP

      1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+LPIC:5Zv5PDwbjNrmAE+jIC

    Score
    10/10
    discordratevasionexecutionpersistenceratrootkitspywarestealer

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

4
T1082

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks