Analysis
-
max time kernel
45s -
max time network
39s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-06-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
RobloxRule34.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
RobloxRule34.exe
Resource
win11-20240508-en
General
-
Target
RobloxRule34.exe
-
Size
505KB
-
MD5
634012a39686513995ecbbaf04235a0a
-
SHA1
6204df4370ed114bde2caac305f96b1954e68504
-
SHA256
134bc640e8cc14d6c30f91407a8c812a63319072343bbf8a6bc2aaf3a902d44b
-
SHA512
b8881eb85dc001d4c256a60dbc141592f89ffded8f90d2240c80d6af6468a34e1ac52e288170c0296cf1afe735e7ef7da6a4738adcfc253fded53c7c56ebe002
-
SSDEEP
12288:TyveQB/fTHIGaPkKEYzURNAwbAg8ox4CA9ndmc:TuDXTIGaPhEYzUzA0qV9nkc
Malware Config
Extracted
discordrat
-
discord_token
MTI1NDI4MDkwNjYzODc1Mzg2Mw.GB5zNE.lgu4CSBwMUVxaeb6e0u9sFYW6gLtr8IglmywhI
-
server_id
1189676766084735048
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 1668 Client-built.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 4 discord.com 6 discord.com 9 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1668 Client-built.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4184 wrote to memory of 1668 4184 RobloxRule34.exe 78 PID 4184 wrote to memory of 1668 4184 RobloxRule34.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\RobloxRule34.exe"C:\Users\Admin\AppData\Local\Temp\RobloxRule34.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5c2207566970ad0379a62da59e3c4caff
SHA159759d884744c5c025fe800a0b86b63555f7bfe9
SHA25661247d55a049a1a16833a6be90b50ceef20340db7b31181b07d95cbc345dd1ba
SHA5122b6a2684c1a5db78fc1080c26b7263bb5c04eb760d142369cd4d987b35ff9fd76092fe3ceae0633f26f98a12b4d1b5b4aca7071a7022d22d264237dbf1a488bc