Analysis Overview
SHA256
0254f150e1cdc3d3eaed66f447d504546f373bfcc859bd734318cc591396af3b
Threat Level: Known bad
The file AVRgpj.exe was found to be: Known bad.
Malicious Activity Summary
Discord RAT
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-26 12:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 12:39
Reported
2024-05-26 12:41
Platform
win10-20240404-en
Max time kernel
72s
Max time network
80s
Command Line
Signatures
Discord RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\av.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\av.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\AVRgpj.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\av.exe |
| PID 2988 wrote to memory of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\AVRgpj.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\av.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AVRgpj.exe
"C:\Users\Admin\AppData\Local\Temp\AVRgpj.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\av.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\av.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.134.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\av.exe
| MD5 | b62264f264fac36f1155abb7a2605c48 |
| SHA1 | d247059a5cde478128840949e7d7c421730ab56c |
| SHA256 | 072dde2a673c6bf2867464fd96894e5c906eebb0e2716cd6538a2066b49df849 |
| SHA512 | 7259632249fc4776dd619cc75c289417d9d0571c08aa61031b2ebacfde6241d1264ca1fcd96b7eb3d16456e908cd150adda54ded10f3830507fc0e6858e97f75 |
memory/4480-6-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp
memory/4480-7-0x0000017919620000-0x0000017919638000-memory.dmp
memory/4480-8-0x0000017933D00000-0x0000017933EC2000-memory.dmp
memory/4480-9-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp
memory/4480-10-0x0000017934400000-0x0000017934926000-memory.dmp
memory/4480-11-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp
memory/4480-12-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp