Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
bananapng.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bananapng.exe
Resource
win10v2004-20240508-en
General
-
Target
bananapng.exe
-
Size
478KB
-
MD5
4c3c1db7d951b6e6ecfb6e798df7f274
-
SHA1
ac8c5317b900aed8787fe43bca0d5871c580abd3
-
SHA256
d11237b84ac5e0498786aa2bb410659c087a148943bcfff4015f044ec0756cb3
-
SHA512
17fc5f3c231bb3a78c500569b19a2c38f746571d479a613d88a617babae51e7e5aae19f28522b5bfb692b6f0daababfac620ca641850f01f7a988814c95ad37c
-
SSDEEP
12288:wCQjgAtAHM+vetZxF5EWry8AJGy0ylCGvc+YR7x:w5ZWs+OZVEWry8AFBIGvYH
Malware Config
Extracted
discordrat
-
discord_token
MTI0NDk4OTQ2MjkxMjY5NjMzMA.GIRO0i.b3bYZf7plrNBXM4V3TRj7NUzgJTJcKm3_NUU0o
-
server_id
1244990153932673145
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 2676 backdoor.exe -
Loads dropped DLL 6 IoCs
pid Process 1644 bananapng.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2676 1644 bananapng.exe 28 PID 1644 wrote to memory of 2676 1644 bananapng.exe 28 PID 1644 wrote to memory of 2676 1644 bananapng.exe 28 PID 2676 wrote to memory of 2556 2676 backdoor.exe 29 PID 2676 wrote to memory of 2556 2676 backdoor.exe 29 PID 2676 wrote to memory of 2556 2676 backdoor.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bananapng.exe"C:\Users\Admin\AppData\Local\Temp\bananapng.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2676 -s 5963⤵
- Loads dropped DLL
PID:2556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5256b75bf21c40761d931bb199b9ebc64
SHA1e4ec59caab4afe8880c993e6183900c6b92af281
SHA25610c77ad6339c4b5c3a575e55d1d7dda52af5820a3a9859309f23a43f27b3c2d0
SHA512a3352d80f8f0c1f1cf29b3a671aef604dbd2bef149c4a71f4aa763bc0ae1d80d3889d34ce38afcf62a61c9730e5a463cae08edfd98a346937014ddb29b25c67c