Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
RobloxAdminPanelNewLeakedgpj.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RobloxAdminPanelNewLeakedgpj.exe
Resource
win10v2004-20240226-en
General
-
Target
RobloxAdminPanelNewLeakedgpj.exe
-
Size
376KB
-
MD5
211bd65a74765df0e85a8eedbc2e98c2
-
SHA1
d68318a9a00483d49f34d5a3573cf981308aa31f
-
SHA256
56c4d335ac7734b3fcc93e70dc43216d571cfd52117ebda2dd5dae7d070a5d9c
-
SHA512
0ef222608495c1eefb4a786663542c73c9c3a5160e7b73e678a0bdbea9824985ab4bd4d3f64fa0cb8a71b89c7e07f378a45851d79318b6f523f41fa61a58ebc7
-
SSDEEP
6144:PE+yclwQKjdn+WPtYVJIoBfYrkhFR1ahrG5/+ZErz:PBdlwHRn+WlYV+5rkhFR18rG5H
Malware Config
Extracted
discordrat
-
discord_token
MTI0NzYwNjA2ODE3NTk2MjEzMw.G3Bv2h.Oi-mmhg6ZK_uTFZKjQiDOwr-wcEm-Hq0xizKtQ
-
server_id
1247606720864321577
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 2520 backdoor.exe -
Loads dropped DLL 6 IoCs
pid Process 2660 RobloxAdminPanelNewLeakedgpj.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2632 DllHost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2520 2660 RobloxAdminPanelNewLeakedgpj.exe 29 PID 2660 wrote to memory of 2520 2660 RobloxAdminPanelNewLeakedgpj.exe 29 PID 2660 wrote to memory of 2520 2660 RobloxAdminPanelNewLeakedgpj.exe 29 PID 2660 wrote to memory of 2520 2660 RobloxAdminPanelNewLeakedgpj.exe 29 PID 2520 wrote to memory of 2548 2520 backdoor.exe 30 PID 2520 wrote to memory of 2548 2520 backdoor.exe 30 PID 2520 wrote to memory of 2548 2520 backdoor.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe"C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2520 -s 5963⤵
- Loads dropped DLL
PID:2548
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD594175ab0f8189f04b8ceb52470cc68db
SHA155b702459060e145274d8da5c5cb21232d6d8539
SHA256e5516ac4ee47d6945cc32cf093c800737301fe1adba1862cffa9e346b0aa1262
SHA5122df0ecf011adcdf7ec9a38cff8833cf5064011110bdb65e59c79e5c73aeb54e2de607ec38b453526041c27f898af56b23ea6ea3fdd7f575cc68ab71fe7dc3da2
-
Filesize
86KB
MD5da73d03e7e63df84355ca62baaefae8a
SHA14a24296ce0275ab6d5439a155a17d8de80d549d5
SHA25616cef3c03efe6d11b261709e330058536b7bd186fad81e932f2a9db1cef78610
SHA5127d8c28fa0ee62228104af1bd25aefe3f18fea9e9983d1cbcfa2f18f9f2832c5471fe4f545e775f6ed775802b3d687d81c1a14292af3406f6ef613c39e0c617e7