wannacry

Sharing

Copy URL

Twitter E-mail

General

Target

Discord-RAT-2.0-master.zip
Size

12.1MB
Sample

240703-d7m47awanc
MD5

017e28cd77905a0bd918d7e725632a2a
SHA1

d709e343f64d93ab00c6fc0aa4ae6ab22aec9f73
SHA256

c8de0e92e603214114f8800dd99ecf8cb69ac85caf8010a99ba3f66afe70fcbf
SHA512

0ae6f1dea994d879043b0ef63049cdbd68dd7671b1df53f3688e91a7027dde8de6d193bafeb12f4c6b7f97909d116f06811a29d13c56ada2c774e78dcc5f1a16
SSDEEP

393216:AsAyy/dM8ZxANOoX9wAzDI1s0bWA16J+UV7:AsAyyVMYODYq

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  Discord-RAT-2.0-master/Discord rat/Program.cs
- Size
  
  59KB
- MD5
  
  69f6cebd0a8015ff93a829a721a666e7
- SHA1
  
  4e2b8b138743549c9c66ac42cb3e6eada572ee83
- SHA256
  
  8c8b82e35d1f693443b0ef8c531831e3a596184e52534f296da2e13bea8e7e7a
- SHA512
  
  0974fe9bc6cbc4088e38a8791d323ff8563fb7f9349a63503f90332dbb209714c0a3759699ca0dc0170627783dec8ff4d30580a930cfaf1c6a06c16c3b237925
- SSDEEP
  
  384:ywr6dz4/80xvu6SudhKVyqx/uK49K69r2Q41idpBRly36/YvuUCnU+7B:9tddgZs9L9KQ4unEybU+7B
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2
- Target
  
  Discord-RAT-2.0-master/Discord rat/Resources/PasswordStealer.dll
- Size
  
  53KB
- MD5
  
  ad42d271e4b7d5c14c179c6cbe559bef
- SHA1
  
  3cf564330231eedce6458836b03e3c129c799b47
- SHA256
  
  ae8abf10e555cee9769abea0e2d3379b11bc6a817f75a0b6038d294fa3d6a136
- SHA512
  
  8f723c3f79c32bac1f823b5c01b535d439dd52c841d84a178634c897f630e53fe520b5e5c96061a5a84eed3878605b45322187f135784ab98906f8221c239310
- SSDEEP
  
  768:mG0+OqGLEJb+SFeagWNRJHMMNcA/nx554oq3U07WAx3ZsLaXLw:mMJ+SFNRtMxTZ3UXmU
Score

1^/10
behavioral3 behavioral4
- Target
  
  Discord-RAT-2.0-master/Discord rat/Resources/Token grabber.dll
- Size
  
  2.8MB
- MD5
  
  f64eadf97eacf0c639336617cf6af03b
- SHA1
  
  ba2a264ac0773a804ab15da18ded3bc556cc99ce
- SHA256
  
  a3ca8d72edaf4ffb84a38e88a31f9e537d7d7b76f7cc7966583c7b4b4a811c74
- SHA512
  
  e4de93107ec60ebdcd2bc6c4b5bddbc2d639d805bf8b7ad57881b04a5f5f5d0bb7cb24e4f3169801fee220b338494b82cd180c36e9dcd0cedda726a5c4621fd5
- SSDEEP
  
  49152:TsLJjhwr1Bp6ErdSl0WXK99EYKauI1HIknog:TKJjhm1BptqXK
Score

1^/10
behavioral5 behavioral6
- Target
  
  Discord-RAT-2.0-master/Discord rat/Resources/Webcam.dll
- Size
  
  39KB
- MD5
  
  a2febd7a91532a08fa5dca771ea7bd2c
- SHA1
  
  41f05c292f081f91364134a8897128027ee2f855
- SHA256
  
  965494b6b3574b5e7afd2cdfdaf42813a3034a37f5309daf5afee63401894da2
- SHA512
  
  5cd2b4580e3e2c02a6dfcf5419d2a47ae6666136dd1354e2929b4497239da9d404aa399dfe8a057b5b91cb59611bc2b5400862d9d5d66e34cfe1e23f8b00103a
- SSDEEP
  
  768:2snfEuPWvIgwQrfA4MKI3KBz7ZIR/5IOYTu4j2:hfEuPWvHhBM7aBxaBIOYTn2
Score

1^/10
behavioral7 behavioral8
- Target
  
  Discord-RAT-2.0-master/Discord rat/Resources/rootkit.dll
- Size
  
  223KB
- MD5
  
  d72fea64a05b3f7dce725352d7c1d032
- SHA1
  
  9c27e234567d237d9c495353567f2efa42e8f616
- SHA256
  
  8fdae5b4490183c9057a684f0ac2f82dd5c8911cb2f43a54ff47a9ad6e93952a
- SHA512
  
  56bb1c4d83587ecc5f8bb41882d449e1812cdf1db1fee4068f5ef1b49f28d3e0af95e14f306d494a6c6cd4771c052360a96388f59bfa409affb3b21790da00d3
- SSDEEP
  
  6144:wguKV5BwUnZqazMhD9RLJt88sndcP8pPyDvUGOks:kKLBwiZlzMB9xgndcP88DvvP
Score

10^/10

bootkit persistence evasion
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  Discord-RAT-2.0-master/Discord rat/Resources/unrootkit.dll
- Size
  
  3.3MB
- MD5
  
  56561903fd1e9dedfe029dd8c9172e7c
- SHA1
  
  ca2fbcd301d4e1ddb3e7fd2b53099e12c06e48c6
- SHA256
  
  4350a69f2630214a7b079e41e3ac2d7c5759a622a0cd1227ba12eee06d758d9a
- SHA512
  
  e16345c92a1639b4ff712591c5f736618ca6b0f83399e5f2265c747fe6829065dfcf9a27486e562ea0766b61c6362611e726e8bf7e943aab4e738bade1d8590d
- SSDEEP
  
  49152:x8ImhHy69ztxaY5lyni2DBZKe8taaY5lSni2DBZWL:OZdyeJH6
Score

10^/10
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  Discord-RAT-2.0-master/Discord rat/packages/dnlib.3.5.0/lib/net35/dnlib.dll
- Size
  
  1.1MB
- MD5
  
  c85801df1a4b5c3c99e0907ee758e678
- SHA1
  
  512b12ac64d1846ec9add9c15774fae59d2fafdf
- SHA256
  
  981af1856c0635540cdbbc1cf3725a47b753182f6f23717f8cca9c7da200d4b6
- SHA512
  
  697ab714d199a4a45055d2769a1eed2ad0abd51de50a5bc4ab8b6685a0277979f9333258e342b23062b01981c032e8fb7efa4ec1dd3c8e916d1acd32d786c376
- SSDEEP
  
  24576:lXsiTalLh9PfNf4JA7NxFoW5UNpYXB1kt5uIv7fntQ2:3itL5xywPktU
Score

1^/10
behavioral13 behavioral14
- Target
  
  Discord-RAT-2.0-master/Discord rat/packages/dnlib.3.5.0/lib/net45/dnlib.dll
- Size
  
  1.1MB
- MD5
  
  508ccde8bc7003696f32af7054ca3d97
- SHA1
  
  1f6a0303c5ae5dc95853ec92fd8b979683c3f356
- SHA256
  
  4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a
- SHA512
  
  92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d
- SSDEEP
  
  24576:WHjoaczZfdE55hHl0WQ/OO4yb99MANKtv7f2dcME:tm/BQWgww
Score

1^/10
behavioral15 behavioral16
- Target
  
  Discord-RAT-2.0-master/Discord rat/packages/dnlib.3.5.0/lib/netstandard2.0/dnlib.dll
- Size
  
  1.1MB
- MD5
  
  0b803121812d241f8fc1b8e53e8e965b
- SHA1
  
  85d633ae0033747476885aa633ada8d02a2f9c1b
- SHA256
  
  ecf5d926a965b89f1427514ef03df543a48fd26464ca5d6eb27eb0a7e3d7aa5a
- SHA512
  
  01b075e4d475fd9d97dcd7ee47e7af007ad106f061b2019e5d5e846fce663507be1367beb4dd9513795184c755e7ef9b194693302db034fa1bcde2fd49a18d55
- SSDEEP
  
  24576:XPb43npCvPCZVidcW8xUA4X4i92FAAGinjv7f/dc4D:uVYkxSX43zFn
Score

1^/10
behavioral17 behavioral18
- Target
  
  Discord-RAT-2.0-master/Token grabber/grabber.cs
- Size
  
  6KB
- MD5
  
  e72008ce666a396d35bec73e9c62d348
- SHA1
  
  b8adadab920f2c308b2ba0f12365f41268de79ab
- SHA256
  
  a4c5aa9b959be5a82060f6bff2262ca2cf87a09256e0b3d6c5dca945d3ffa667
- SHA512
  
  6fe2be27a58bb120e7dad343643be7e4eff1d389810b3f748dc9e78c6ac5f96df164a60b23132c6e2dc9bfc2754416915666f90ff4d52abf542cbbc071fca0be
- SSDEEP
  
  192:ivbBt6rkYsPcB20E01A7xuuRPIz+i+y+qv+i+LP59w0MzSoCBL:ig00Y8uVIzL7PLqx
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  Discord-RAT-2.0-master/Token grabber/src/asn1/ASN1StreamParser.cs
- Size
  
  7KB
- MD5
  
  9fbd8abfbeb78b4cfe3e5e1a551dbbe6
- SHA1
  
  ac026018dd90e00c5ca8032e62582c29b2869124
- SHA256
  
  d796a8bb549ec9ea1b4a8aa47fcb9768fdeea0b4ae18853daa05c5a646f245a7
- SHA512
  
  bb83de33e9afd7bba04304611e6ada36aa77ccfcdca38f7d7ea20b4594c9084056dafd41b18588a83ced7996fbb1f3e98205e96690236576972a645ca9ad8400
- SSDEEP
  
  192:fTkUG60ZXW7cFGy6XlZ36e46AIxnN3GK9D:fTkUG9ZXW7cFGL1ZqvjIf9D
Score

3^/10

execution
behavioral21 behavioral22
- Target
  
  Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1Encodable.cs
- Size
  
  1KB
- MD5
  
  739a0f92fddcb8660b56c48da3f5d3b1
- SHA1
  
  c4110a88207a029ddaabe2a17946edbcd7e56223
- SHA256
  
  4fb9701adb8c643801dc78f8c67392111fffb497db2f5a132546acd590aea7eb
- SHA512
  
  6277885847fc0e74b9d669bca89ff95e070418e1eb7016b254132bc2be52ae0ded2d07ff3a281e5c143b10b185335885bfae01a22943e3ee99bba6944822b95c
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1InputStream.cs
- Size
  
  16KB
- MD5
  
  d6b8f69c76d758ac6e7d2a4a1d39defb
- SHA1
  
  1a7be9e58bcb597d8604e6ae6aff6a1974b892c4
- SHA256
  
  e81810ec15b77657180cceac5873f5cb111703e9570e6077e4fe2f6b373f38f4
- SHA512
  
  fc156800804a35bc54c20fddf69e95a905018fdd8a90182e76d52124f64194c105b0e9d979f279807cde4d298af0f716d3d345bf79f814c0350d78c2306dc20f
- SSDEEP
  
  384:39uTo3Z30Gj08jS4QdYZU9RyoXZ5osG/SWVspu9MaMJa0xotss:398o3Z3D08jS4QdYZU9RyoXZ5osG/SW1
Score

3^/10

execution
behavioral25 behavioral26
- Target
  
  Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1Null.cs
- Size
  
  2KB
- MD5
  
  5b2341a924c5c15c1dca56f017fd7cb7
- SHA1
  
  e41d67cfe01a6fdac47da483932a0115ba51e4c2
- SHA256
  
  5b866ccf4b99f4e8473d4e129258c823f0c1ae51ffaaa33e97e702967b9b5ee4
- SHA512
  
  5138d0b171259d1b65f6d2695ab7a25c00c657ecbcfe93d63ad757bcb8b6a32f8665f9ae82b6dbcd22a081bd5ffc9bb30f579c23cd539cd32965003418aa2a82
Score

3^/10

execution
behavioral27 behavioral28
- Target
  
  Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1Object.cs
- Size
  
  2KB
- MD5
  
  d9d25f09ad07a712039b98e88dbafdf9
- SHA1
  
  4ef2c95e6e76f86597e05d359fb0a0381a194752
- SHA256
  
  571c4161e5422ce118b2504bc3ffd771e199e0eca680c682616510562ce132db
- SHA512
  
  9674215a235d435ee45b4d458e887da90412629f17f3b307c1a1e12f8471e125f392435f86685a09ff421ae3c2bd65106cc8b4b0f069a3b59e7ca46489196bc6
Score

3^/10

execution
behavioral29 behavioral30
- Target
  
  Discord-RAT-2.0-master/Token grabber/src/asn1/Asn1ObjectDescriptor.cs
- Size
  
  4KB
- MD5
  
  f6e8632b0a6cd03535cc6219180b54e7
- SHA1
  
  4969563384f3b5eaf7c610d4da60bbf45eac2690
- SHA256
  
  fb85a14e214812c980cabfc19ed7688e4d8195f126515f5ed583cf8df38e56c6
- SHA512
  
  bac7eb6458a6d58f8e996cf7c8c2516523074349beb7a8dbc7bf951a52f8e44d1382d1a520e211670daaf33cfc49a7f7e10e1f150353dc1733be46620f0017ea
- SSDEEP
  
  96:JjaNSlQUVv5AY1Vnl+iJHiomzgRcy73ieLJRiJL9ffeOfffY9ePlI9eL:MZ6v5AYrnl+ioomzgRL73ieLCJL1jSeL
Score

3^/10

execution
behavioral31 behavioral32