Overview

overview

10

Static

static

3

Tulpical_V3 lock.exe

windows7-x64

10

Tulpical_V3 lock.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    838s
  • max time network
    842s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tulpical_V3 lock.exe

  • Size

    736KB

  • MD5

    adb97c2b434b39f7aec3240097430b8a

  • SHA1

    33575f816b3e281aa327e2f07f673bd1fab25a81

  • SHA256

    02e896adebf162d071bf730e2c5eed52e207efe3d7eeafc094acc5b2cb763b52

  • SHA512

    cf85986f9527730964d92af0cc556bbbc4ad6eadca43af7427daf4addace189e9b12bebf146226df74c1882c864991b9a859decf6a1fd6d8b78bbfdd7e83ba66

  • SSDEEP

    12288:aCQjgAtAHM+vetZxF5EWry8AJGy0kWyOV5b+mkSAgjxbH93kZ:a5ZWs+OZVEWry8AFi9Vx+mkSTRH93C

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxMTA5OTM2NzcyMTc5NTYzNA.GqkwcX.UOjwiFdGIpv_jY2sOCDo02zExIyfhOxTIiOv6c

  • server_id

    1251241660453752944

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tulpical_V3 lock.exe
    "C:\Users\Admin\AppData\Local\Temp\Tulpical_V3 lock.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Local\Temp\lock image.exe
      "C:\Users\Admin\AppData\Local\Temp\lock image.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2956 -s 596
        3⤵
        • Loads dropped DLL
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\lock image.exe
    Filesize

    78KB

    MD5

    eb574fb1d907ffd85ce1854f5585d67a

    SHA1

    6b72bc26e0f282010c1c1e5589e130d250d28bb5

    SHA256

    1a3072f72b2747d1bbe6f8aec7945d7753c061cd02ab1a1632963d13ba9e61bd

    SHA512

    0df1476ff05cc2c34e9c84ac4ba7760c233755f8a9f031ac33241aab71cfc1fbba20344b1403620c7f7695360d30ab124cf3557bff4730bd10f8f8b71a580c6f

    Download Submit

  • memory/2764-10-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2956-11-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2956-12-0x000000013F6E0000-0x000000013F6F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2956-17-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2956-19-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

    Filesize

    9.9MB

    Download