Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
13-07-2024 20:07
General
-
Target
rostrap.exe
-
Size
4.7MB
-
MD5
e26cd0708de26fc18a2af2ff6fdbddfa
-
SHA1
201b3445de0070cd054bc67818b2a2090118dcdd
-
SHA256
76393354a6a3ddebfbd5f53f185849e48c4ab158609ee2a24411ef4ad4a13bf2
-
SHA512
0a2897a2811b3980daa48c4f61aa66f5ea69d380af076876373276af7435e9c3f3336469b418ea6f314de75ddceb7e8da6c01660c7ebebbe52a40593c1b64bc1
-
SSDEEP
98304:fb3/VPhspHSrjl3GcqMOFm14O+rHJ49nDZcFMxnh:fjTaHsjl6M0mqO0QDZaMxnh
Malware Config
Extracted
discordrat
-
discord_token
MTI2MTcwMjM0NDQ4ODUyMTgwOQ.G6Bxmp.lZQNCu-ZZ94b9CGCSYHyNJ8h_8sgjGMX0iJAD8
-
server_id
1261770885514137682
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\rostrap.exe"C:\Users\Admin\AppData\Local\Temp\rostrap.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C SYSTEMINFO2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exeSYSTEMINFO3⤵
- Gathers system information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3024-0-0x0000000140000000-0x0000000140C8E000-memory.dmpFilesize
12.6MB
-
memory/3024-1-0x00007FF9E1FB4000-0x00007FF9E1FB5000-memory.dmpFilesize
4KB
-
memory/3024-2-0x00007FF9E1F50000-0x00007FF9E2219000-memory.dmpFilesize
2.8MB
-
memory/3024-4-0x00007FF9E1F50000-0x00007FF9E2219000-memory.dmpFilesize
2.8MB
-
memory/3024-6-0x00007FF9E1F50000-0x00007FF9E2219000-memory.dmpFilesize
2.8MB
-
memory/3024-7-0x0000000140000000-0x0000000140C8E000-memory.dmpFilesize
12.6MB
-
memory/3024-8-0x0000000140000000-0x0000000140C8E000-memory.dmpFilesize
12.6MB
-
memory/3024-9-0x0000000002B20000-0x0000000002CE2000-memory.dmpFilesize
1.8MB
-
memory/3024-10-0x0000000140000000-0x0000000140C8E000-memory.dmpFilesize
12.6MB
-
memory/3024-11-0x00007FF9E1F50000-0x00007FF9E2219000-memory.dmpFilesize
2.8MB
-
memory/3024-12-0x00000000202C0000-0x00000000207E8000-memory.dmpFilesize
5.2MB
-
memory/3024-13-0x00007FF9E1FB4000-0x00007FF9E1FB5000-memory.dmpFilesize
4KB
-
memory/3024-14-0x00007FF9E1F50000-0x00007FF9E2219000-memory.dmpFilesize
2.8MB
-
memory/3024-17-0x00007FF9E1F50000-0x00007FF9E2219000-memory.dmpFilesize
2.8MB