discordrat | 8e2f032d0ff15f2c9bab0f9f894936066c42f388a5e891ed76e4e7cb9ff2e365 | Triage

Resubmissions

23-06-2024 13:47

240623-q3s6vssgke 1

23-06-2024 12:40

240623-pwdxxsvalm 10

Sharing

General

Target

Solara-Executor
Size

304KB
Sample

240623-pwdxxsvalm
MD5

517f63f72eade402b33b49d155c78bfa
SHA1

61ab7528b8b247714d6a70312f09b28682e7c500
SHA256

8e2f032d0ff15f2c9bab0f9f894936066c42f388a5e891ed76e4e7cb9ff2e365
SHA512

8c62582aa300bbec3ab45485843875ec52af0a6c34dd04e91fd981008ffb57a8112c0bd5449c7e281f3b83a6d5cdda7f9c94c1909590c98a17c62743d7e213ac
SSDEEP

6144:D6ozv2n9dH5M2vkm0aFRv3pId9RY9AvZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViT:mozv2n9dH5M2vkm0aFRv3pId9RY9AvZn

Score

10^/10

discordrat lumma umbral execution persistence rat rootkit stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
94.156.8.173
Port:
21
Username:
anonymous
Password:
anonymous@

Extracted

Family

discordrat

Attributes

discord_token
MTEyOTI2NjIyNzkxOTk5MDgyNA.GInBmi.k0vV9HhM26FUzP8r3lgj8t304PciR2dvNYNKDQ
server_id
1129494586109206538

Extracted

Family

lumma

C2

https://salesperosominsid.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Targets

- Target
  
  Solara-Executor
- Size
  
  304KB
- MD5
  
  517f63f72eade402b33b49d155c78bfa
- SHA1
  
  61ab7528b8b247714d6a70312f09b28682e7c500
- SHA256
  
  8e2f032d0ff15f2c9bab0f9f894936066c42f388a5e891ed76e4e7cb9ff2e365
- SHA512
  
  8c62582aa300bbec3ab45485843875ec52af0a6c34dd04e91fd981008ffb57a8112c0bd5449c7e281f3b83a6d5cdda7f9c94c1909590c98a17c62743d7e213ac
- SSDEEP
  
  6144:D6ozv2n9dH5M2vkm0aFRv3pId9RY9AvZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViT:mozv2n9dH5M2vkm0aFRv3pId9RY9AvZn
Score

10^/10

discordrat lumma umbral execution persistence rat rootkit stealer
- Detect Umbral payload
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

discordratlummaumbralexecutionpersistenceratrootkitstealer