Overview

overview

10

Static

static

10

rostrap.exe

windows10-2004-x64

Resubmissions

13-07-2024 19:37

240713-ybwfxavapr 10

13-07-2024 19:36

240713-ybjr4svapk 10

13-07-2024 19:36

240713-ya74bavamp 10

13-07-2024 19:34

240713-yabp4svakk 10

13-07-2024 19:29

240713-x7eycswerg 10

Analysis

  • max time kernel
    139s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    13-07-2024 19:34

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    rostrap.exe

  • Size

    78KB

  • MD5

    c806f00fa32f343f9849c77003bb4cc1

  • SHA1

    4a80c5b110f93d9dbcc85885bbf231de5ac8ace6

  • SHA256

    9ddd3757585f55bea693a536e7ec6c4de0fd46f7df565f9cf6d10e339af2e845

  • SHA512

    bac500e08913263bcabab7622eb7d00443d3d426cee9000edcd7b6089cf6e42be2a6b8f93fa60ef703b5400016febf8fb4c922ff17f2c80024a39450440deeb4

  • SSDEEP

    1536:Q0QhcOUX0RU1uB3Yec0OIwbJNrfxCXhRoKV6+V+ttD:Qojj03wbJNrmAE+DD

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI2MTcwMjM0NDQ4ODUyMTgwOQ.GyJxES.iPPznz14IbFotKTZ3KViTwuS9T3PzEb13fnomo

  • server_id

    1261715255004762132

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rostrap.exe
    "C:\Users\Admin\AppData\Local\Temp\rostrap.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C whoami
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\system32\whoami.exe
        whoami
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C SYSTEMINFO
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\system32\systeminfo.exe
        SYSTEMINFO
        3⤵
        • Gathers system information
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2192-0-0x000001C579D30000-0x000001C579D48000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2192-1-0x00007FFBD54A3000-0x00007FFBD54A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2192-2-0x000001C57C320000-0x000001C57C4E2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2192-3-0x00007FFBD54A0000-0x00007FFBD5F61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2192-4-0x000001C57CB20000-0x000001C57D048000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2192-5-0x00007FFBD54A3000-0x00007FFBD54A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2192-6-0x00007FFBD54A0000-0x00007FFBD5F61000-memory.dmp

    Filesize

    10.8MB

    Download