Overview

overview

10

Static

static

3

cutecat‮gjp.exe

windows10-1703-x64

10

Resubmissions

03-07-2024 14:10

240703-rg6eqs1hmg 10

03-07-2024 14:06

240703-rec1ea1fmb 10

Analysis

  • max time kernel
    135s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-07-2024 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cutecat‮gjp.exe

  • Size

    571KB

  • MD5

    56950b73f1d8a345e5cac4a890199ad6

  • SHA1

    e06360883d38743190b0ce03eaf4ae61e50b104f

  • SHA256

    32f2cb98c31c82d74dd71ff361c1b70b8a71b75b56348ce808d2521f4aab7b81

  • SHA512

    f2c32d057c0e1ffa99d185ec4f6057f9941c8b21a51fdaf91f88f561e17ed07a74dafb1f213a066a52f79f771e1ca38ede6c663d471a325f3f900160c9f1e818

  • SSDEEP

    12288:hyveQB/fTHIGaPkKEYzURNAwbAg8awGznzgJgHYxT4Nxt7HGt:huDXTIGaPhEYzUzA0q4znzgJgHYRmGt

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1ODA0NzAxNDQ0MTMyNDY2NA.GJFaRS.ML3_kAVkMruyTd0hsxxYBK2V-qnvxomT03peSY

  • server_id

    1255506406946373766

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cutecat‮gjp.exe
    "C:\Users\Admin\AppData\Local\Temp\cutecat‮gjp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
    Filesize

    78KB

    MD5

    cfc5ba6bfc1cb9ee620ec90d1f1adf90

    SHA1

    8edf8d4562c940cd5444aadeffe6657362a7262f

    SHA256

    e6918fba0ddf8c2d9a7daf640762163dc8c2b9aaf474e3d45ddb2901328d5f16

    SHA512

    9631aa7bab6c97aa19b365f5296f3fa37709349d567ba00d7bd8b67003279647ec62c18ddfd777990221300b1e069a09124e70d94496d2114aeffb67a9f5b58c

    Download Submit

  • memory/2412-11-0x00007FFA0B5C3000-0x00007FFA0B5C4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-10-0x0000020C9E760000-0x0000020C9E778000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2412-12-0x0000020CB8E30000-0x0000020CB8FF2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2412-13-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2412-14-0x0000020CB9730000-0x0000020CB9C56000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2412-15-0x00007FFA0B5C3000-0x00007FFA0B5C4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-16-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp

    Filesize

    9.9MB

    Download