Overview

overview

10

Static

static

10

VSoftware.exe

windows7-x64

10

VSoftware.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Epic.zip

  • Size

    49KB

  • Sample

    240715-dkhaesvern

  • MD5

    ec66d375a70559eb6b4ce9aa8f28767a

  • SHA1

    9df2a19dfb8d344c466ab5e1eebd19549c352f1e

  • SHA256

    e08b2618739a86f8e36676a718080b5f90912945d949dee8b480882012a31945

  • SHA512

    ad446fe5f117d31dd37a89c0b40411a6af6e035486c512781f3a5d5a170b405cd59bfb6223bca2babc77c2a226a602594044b74a317921c4ad9f24960acb8a94

  • SSDEEP

    768:7U9ao3OtnT+0KZyN/oip3PkbPHWCzf6+hBdkJBVHun6U9Nt+g0qQLwfasu26:o7+lKMJAX6WT2VY6UJz0qQLHsV6

Score
10/10
discordratdiscoveryevasionpersistenceprivilege_escalationratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI2MjE4MzU5NjU1MTE4MDQwMg.Gzy3x9.RZIwVThFyDF6ranz-qVbm6lG_FO19_NJuZ4LiM

  • server_id

    1262179245837258894

Targets

    • Target

      VSoftware.exe

    • Size

      83KB

    • MD5

      54a3320ff0124cdbfcc5c0c31b1e9206

    • SHA1

      ab643cdd5b493f78fe3de596f5b9ec7f1c7080fd

    • SHA256

      3dc6607ffcac9d32060196731fe0844f7cdb9148adb8b3a141d90ee0eb5b53f3

    • SHA512

      62cfea7ad23834f051b7d12854c94517096e30e026645ff07c3338e8d73de131061b8fd4ef05512156995d303ce44f18aa974686ef52ec5fe7de79c1b5b32351

    • SSDEEP

      1536:t2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+EPIW:tZv5PDwbjNrmAE+YIW

    Score
    10/10
    discordratdiscoveryevasionpersistenceprivilege_escalationratrootkitspywarestealertrojanupx

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks