Analysis

  • max time kernel
    99s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-05-2024 13:11

General

  • Target

    banana‮png.exe

  • Size

    478KB

  • MD5

    4c3c1db7d951b6e6ecfb6e798df7f274

  • SHA1

    ac8c5317b900aed8787fe43bca0d5871c580abd3

  • SHA256

    d11237b84ac5e0498786aa2bb410659c087a148943bcfff4015f044ec0756cb3

  • SHA512

    17fc5f3c231bb3a78c500569b19a2c38f746571d479a613d88a617babae51e7e5aae19f28522b5bfb692b6f0daababfac620ca641850f01f7a988814c95ad37c

  • SSDEEP

    12288:wCQjgAtAHM+vetZxF5EWry8AJGy0ylCGvc+YR7x:w5ZWs+OZVEWry8AFBIGvYH

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0NDk4OTQ2MjkxMjY5NjMzMA.GIRO0i.b3bYZf7plrNBXM4V3TRj7NUzgJTJcKm3_NUU0o

  • server_id

    1244990153932673145

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\banana‮png.exe
    "C:\Users\Admin\AppData\Local\Temp\banana‮png.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

    Filesize

    78KB

    MD5

    256b75bf21c40761d931bb199b9ebc64

    SHA1

    e4ec59caab4afe8880c993e6183900c6b92af281

    SHA256

    10c77ad6339c4b5c3a575e55d1d7dda52af5820a3a9859309f23a43f27b3c2d0

    SHA512

    a3352d80f8f0c1f1cf29b3a671aef604dbd2bef149c4a71f4aa763bc0ae1d80d3889d34ce38afcf62a61c9730e5a463cae08edfd98a346937014ddb29b25c67c

  • memory/4240-12-0x00007FFE0D0E3000-0x00007FFE0D0E5000-memory.dmp

    Filesize

    8KB

  • memory/4240-13-0x000001DADF130000-0x000001DADF148000-memory.dmp

    Filesize

    96KB

  • memory/4240-14-0x000001DAF97F0000-0x000001DAF99B2000-memory.dmp

    Filesize

    1.8MB

  • memory/4240-15-0x00007FFE0D0E0000-0x00007FFE0DBA1000-memory.dmp

    Filesize

    10.8MB

  • memory/4240-16-0x000001DAFA030000-0x000001DAFA558000-memory.dmp

    Filesize

    5.2MB

  • memory/4240-17-0x00007FFE0D0E3000-0x00007FFE0D0E5000-memory.dmp

    Filesize

    8KB

  • memory/4240-18-0x00007FFE0D0E0000-0x00007FFE0DBA1000-memory.dmp

    Filesize

    10.8MB