Overview

overview

10

Static

static

3

Kinito_horror.exe

windows7-x64

10

Kinito_horror.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Kinito_horror.exe

  • Size

    536KB

  • MD5

    ad96c8a2754e9842815afb1cfdb13581

  • SHA1

    422d8a2a47975ca27ae9824a99e438d4e28ece68

  • SHA256

    76629cc6ae5d1de771cf074cee28eb1b7e5ce236061a19f76fee039ac8f4d81d

  • SHA512

    f4250022659705cb7e75530af1ec64f732942bc3db305d5e3e716eda61cfd8308ee2ca0d89b499696b8e7e2bdf8edae7b1e87387dfdc8dcd210eb9485efb70a8

  • SSDEEP

    12288:fyveQB/fTHIGaPkKEYzURNA/bAg81p46UKXZlyyijD:fuDXTIGaPhEYzUzATqnxXRijD

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0MDA4ODk5MTQwODE5MzYyOA.GRW5NI.uFPBjoMjH0IQ-FgxpiJSv246Xes3LsI1_5H1Y8

  • server_id

    1239434854953648229

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kinito_horror.exe
    "C:\Users\Admin\AppData\Local\Temp\Kinito_horror.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3652
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1560
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4840
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4564

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe
      Filesize

      78KB

      MD5

      ae9c47b621a083a0b0681b7aa9530946

      SHA1

      6cdd316cb5b2869927b42597b25cf7d495d5f9a4

      SHA256

      aa3727520be4bc19a78da7f575a9dcc93c0b5c2743725300f942e7dee2eaa3b1

      SHA512

      ae6330429bb9bc21709162296de375a79f5b8b89b3f4b58a5da12737b2fe0b44570e5eaab8fbb92ce190600fb1fc2a5f91fa425a719d8363a481d99f173bb109

      Download Submit
    • memory/1560-16-0x000001BA42F60000-0x000001BA43122000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1560-15-0x00007FFC74453000-0x00007FFC74455000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1560-14-0x000001BA28950000-0x000001BA28968000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1560-17-0x00007FFC74450000-0x00007FFC74F11000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1560-18-0x000001BA43760000-0x000001BA43C88000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1560-19-0x00007FFC74453000-0x00007FFC74455000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1560-20-0x00007FFC74450000-0x00007FFC74F11000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4840-21-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4840-23-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4840-22-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4840-33-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4840-32-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4840-31-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4840-30-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4840-29-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4840-28-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4840-27-0x0000020CC31A0000-0x0000020CC31A1000-memory.dmp
      Filesize

      4KB

      Download