Analysis
-
max time kernel
99s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 13:11
Static task
static1
Behavioral task
behavioral1
Sample
bananapng.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
bananapng.exe
Resource
win10v2004-20240426-en
General
-
Target
bananapng.exe
-
Size
478KB
-
MD5
4c3c1db7d951b6e6ecfb6e798df7f274
-
SHA1
ac8c5317b900aed8787fe43bca0d5871c580abd3
-
SHA256
d11237b84ac5e0498786aa2bb410659c087a148943bcfff4015f044ec0756cb3
-
SHA512
17fc5f3c231bb3a78c500569b19a2c38f746571d479a613d88a617babae51e7e5aae19f28522b5bfb692b6f0daababfac620ca641850f01f7a988814c95ad37c
-
SSDEEP
12288:wCQjgAtAHM+vetZxF5EWry8AJGy0ylCGvc+YR7x:w5ZWs+OZVEWry8AFBIGvYH
Malware Config
Extracted
discordrat
-
discord_token
MTI0NDk4OTQ2MjkxMjY5NjMzMA.GIRO0i.b3bYZf7plrNBXM4V3TRj7NUzgJTJcKm3_NUU0o
-
server_id
1244990153932673145
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation bananapng.exe -
Executes dropped EXE 1 IoCs
pid Process 4240 backdoor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 17 discord.com 18 discord.com 25 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4240 backdoor.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1792 wrote to memory of 4240 1792 bananapng.exe 85 PID 1792 wrote to memory of 4240 1792 bananapng.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\bananapng.exe"C:\Users\Admin\AppData\Local\Temp\bananapng.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5256b75bf21c40761d931bb199b9ebc64
SHA1e4ec59caab4afe8880c993e6183900c6b92af281
SHA25610c77ad6339c4b5c3a575e55d1d7dda52af5820a3a9859309f23a43f27b3c2d0
SHA512a3352d80f8f0c1f1cf29b3a671aef604dbd2bef149c4a71f4aa763bc0ae1d80d3889d34ce38afcf62a61c9730e5a463cae08edfd98a346937014ddb29b25c67c