Overview

overview

10

Static

static

3

Desktop.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.exe

  • Size

    9.8MB

  • Sample

    240618-w6cwyaycjl

  • MD5

    44265fe120ee31b939e6d4aca9cdeb80

  • SHA1

    9452e1039f82023136c12a4cf11f9dfccba389f4

  • SHA256

    6f72152cb1615a64f0e8c49ba8f49dea012dbad0badd521eeda3290c6959fd84

  • SHA512

    f0c90551338c821fbe9bd81f4f25325bb4c2ae29191c7df842099db53c6da9536a45d6488d369c93b52379df6b33f541709a7cf9a25a5436f5d5f5caa688103d

  • SSDEEP

    196608:j3GvGDAvRL2MYieslPns0WWAujj2anjVp4T7FOpkvC8TLMSm6NOlqFBShk3iC6:8v8s5nDFjnjD27FOG6OMD6NTFoho6

Score
10/10
discordratexelastealerdefense_evasionevasionpersistenceprivilege_escalationpyinstallerratrootkitspywarestealerupx

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIyMDc5MzQxNDI0NTgxMDI0Ng.GEBKsM.ZC_PzVBNAJuDtGSU4g7MSk0kvLhn9vVw1QBppA

  • server_id

    1236364451591229492

Targets

    • Target

      Desktop.exe

    • Size

      9.8MB

    • MD5

      44265fe120ee31b939e6d4aca9cdeb80

    • SHA1

      9452e1039f82023136c12a4cf11f9dfccba389f4

    • SHA256

      6f72152cb1615a64f0e8c49ba8f49dea012dbad0badd521eeda3290c6959fd84

    • SHA512

      f0c90551338c821fbe9bd81f4f25325bb4c2ae29191c7df842099db53c6da9536a45d6488d369c93b52379df6b33f541709a7cf9a25a5436f5d5f5caa688103d

    • SSDEEP

      196608:j3GvGDAvRL2MYieslPns0WWAujj2anjVp4T7FOpkvC8TLMSm6NOlqFBShk3iC6:8v8s5nDFjnjD27FOG6OMD6NTFoho6

    Score
    10/10
    discordratexelastealerdefense_evasionevasionpersistenceprivilege_escalationpyinstallerratrootkitspywarestealerupx

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

5
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks