Malware Analysis Report

2024-09-11 09:21

Sample ID 240605-wjzgesee35
Target RobloxAdminPanelNewLeakedgpj.exe
SHA256 56c4d335ac7734b3fcc93e70dc43216d571cfd52117ebda2dd5dae7d070a5d9c
Tags
discordrat persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56c4d335ac7734b3fcc93e70dc43216d571cfd52117ebda2dd5dae7d070a5d9c

Threat Level: Known bad

The file RobloxAdminPanelNewLeakedgpj.exe was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer

Discord RAT

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-05 17:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 17:57

Reported

2024-06-05 18:00

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
PID 2660 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
PID 2660 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
PID 2660 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
PID 2520 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe C:\Windows\system32\WerFault.exe
PID 2520 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe C:\Windows\system32\WerFault.exe
PID 2520 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2520 -s 596

Network

N/A

Files

memory/2660-4-0x0000000003000000-0x0000000003002000-memory.dmp

memory/2632-5-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2632-6-0x0000000000290000-0x0000000000291000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

MD5 da73d03e7e63df84355ca62baaefae8a
SHA1 4a24296ce0275ab6d5439a155a17d8de80d549d5
SHA256 16cef3c03efe6d11b261709e330058536b7bd186fad81e932f2a9db1cef78610
SHA512 7d8c28fa0ee62228104af1bd25aefe3f18fea9e9983d1cbcfa2f18f9f2832c5471fe4f545e775f6ed775802b3d687d81c1a14292af3406f6ef613c39e0c617e7

memory/2520-13-0x000000013F150000-0x000000013F16A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Robloxpanel.png

MD5 94175ab0f8189f04b8ceb52470cc68db
SHA1 55b702459060e145274d8da5c5cb21232d6d8539
SHA256 e5516ac4ee47d6945cc32cf093c800737301fe1adba1862cffa9e346b0aa1262
SHA512 2df0ecf011adcdf7ec9a38cff8833cf5064011110bdb65e59c79e5c73aeb54e2de607ec38b453526041c27f898af56b23ea6ea3fdd7f575cc68ab71fe7dc3da2

memory/2632-20-0x0000000000290000-0x0000000000291000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 17:57

Reported

2024-06-05 18:00

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
PID 4888 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.136.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 234.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

MD5 da73d03e7e63df84355ca62baaefae8a
SHA1 4a24296ce0275ab6d5439a155a17d8de80d549d5
SHA256 16cef3c03efe6d11b261709e330058536b7bd186fad81e932f2a9db1cef78610
SHA512 7d8c28fa0ee62228104af1bd25aefe3f18fea9e9983d1cbcfa2f18f9f2832c5471fe4f545e775f6ed775802b3d687d81c1a14292af3406f6ef613c39e0c617e7

memory/4708-14-0x00007FFAE8703000-0x00007FFAE8705000-memory.dmp

memory/4708-15-0x0000021BFFA20000-0x0000021BFFA3A000-memory.dmp

memory/4708-16-0x0000021C001D0000-0x0000021C00392000-memory.dmp

memory/4708-17-0x00007FFAE8700000-0x00007FFAE91C1000-memory.dmp

memory/4708-18-0x0000021B9B4B0000-0x0000021B9B9D8000-memory.dmp

memory/4708-19-0x00007FFAE8703000-0x00007FFAE8705000-memory.dmp

memory/4708-20-0x00007FFAE8700000-0x00007FFAE91C1000-memory.dmp

memory/4708-21-0x0000021B9B0C0000-0x0000021B9B0CE000-memory.dmp