Overview

overview

10

Static

static

7

SalesAndTa...es.exe

windows7-x64

10

SalesAndTa...es.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    837s
  • max time network
    839s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SalesAndTales/SalesAndTales/TalesAndSales.exe

  • Size

    4.1MB

  • MD5

    5071e6c3739ca8d176036501ff7b7692

  • SHA1

    0e0ef970dc94a375a28b61baff395043c920484b

  • SHA256

    dc8d4767a1022103802ec64fe86960bea13dd03ff1d0365c2519c7edc07b4841

  • SHA512

    1c9e56a50ac7a3ee175d70b1e456cd69279fe94aac95ea66f4d1f782d2687b33f9c7b0a20d29a49ed06508279dc34f2d4d05ad5fb396a526226e27e93614753f

  • SSDEEP

    98304:iUYt9cvtfCbuDlZM5Arxle1K+O9FbcBvzc8aEB:iUc9cv9EQ7oOx01awV

Score
10/10
discordratevasionpersistenceratrootkitstealerthemidatrojan

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI2MDIzODIzNTAxNjM2NDE0Mw.G_GGTS.fEW6l1WLOhjwEn42Roi-bpXTe-ZL_rK7J-jOto

  • server_id

    1260238572166844487

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SalesAndTales\SalesAndTales\TalesAndSales.exe
    "C:\Users\Admin\AppData\Local\Temp\SalesAndTales\SalesAndTales\TalesAndSales.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2708 -s 604
      2⤵
        PID:1728

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2708-0-0x000000013F570000-0x00000001400AE000-memory.dmp
      Filesize

      11.2MB

      Download
    • memory/2708-2-0x000007FEFCC30000-0x000007FEFCC9C000-memory.dmp
      Filesize

      432KB

      Download
    • memory/2708-1-0x000007FEFCC43000-0x000007FEFCC44000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2708-4-0x000007FEFCC30000-0x000007FEFCC9C000-memory.dmp
      Filesize

      432KB

      Download
    • memory/2708-3-0x000007FEFCC30000-0x000007FEFCC9C000-memory.dmp
      Filesize

      432KB

      Download
    • memory/2708-6-0x000007FEFCC30000-0x000007FEFCC9C000-memory.dmp
      Filesize

      432KB

      Download
    • memory/2708-7-0x000000013F570000-0x00000001400AE000-memory.dmp
      Filesize

      11.2MB

      Download
    • memory/2708-8-0x000000013F570000-0x00000001400AE000-memory.dmp
      Filesize

      11.2MB

      Download
    • memory/2708-9-0x000007FEFCC30000-0x000007FEFCC9C000-memory.dmp
      Filesize

      432KB

      Download
    • memory/2708-11-0x000000013F570000-0x00000001400AE000-memory.dmp
      Filesize

      11.2MB

      Download
    • memory/2708-13-0x000000013F570000-0x00000001400AE000-memory.dmp
      Filesize

      11.2MB

      Download
    • memory/2708-14-0x000007FEFCC30000-0x000007FEFCC9C000-memory.dmp
      Filesize

      432KB

      Download