Overview

overview

10

Static

static

3

RoblxExtern.exe

windows7-x64

6

RoblxExtern.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RoblxExtern.exe

  • Size

    103KB

  • MD5

    96f4ada678831287e0e65a893bcbaead

  • SHA1

    6d31200f6c78548164c416c7143d1ae2496c9dcb

  • SHA256

    60f0ed4e327ec2f37874d39d7d8112edd3ee5f3a88ac09d55f1e860ad1d16aab

  • SHA512

    a055e1c871a6f0089d3643a714dc65effeab6eea62be996aab375a2941ab2c61099dd7fcfc0901784aebf9cceb31fbbe266d186c925953adede0e4d499a998d6

  • SSDEEP

    1536:eAjVrqD0rWUVYqMdvM9m2o5+7nkG24dxugMGHd1mf2R6/ELA29o2IqQnsLTC+zhS:HFeyIj+0n+ym9EGWe

Score
10/10
discordratpersistenceratrootkitspywarestealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI2MTY0NTg1NzE3MDY1MzIyNQ.G-aI1H.UjEBfSThVUjdMTWjryej5I5a1-xdH_S2NvpjfA

  • server_id

    1261645179203616778

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RoblxExtern.exe
    "C:\Users\Admin\AppData\Local\Temp\RoblxExtern.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Office\COM SURROGATE.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Users\Admin\AppData\Local\Office\COM Surrogate.exe
        "C:\Users\Admin\AppData\Local\Office\COM SURROGATE.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SYSTEM32\SCHTASKS.exe
          "SCHTASKS.exe" /create /tn "$77COM Surrogate.exe" /tr "'C:\Users\Admin\AppData\Local\Office\COM Surrogate.exe'" /sc onlogon /rl HIGHEST
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Office\COM Surrogate.exe
    Filesize

    93KB

    MD5

    57b48fa07b7e7accfabecf5930111111

    SHA1

    9e15ae353d456dee863484e2636f6f17140dcc31

    SHA256

    e148ac15fff264c7a90c2ff7dab6f3fb3bf8f664e016805bf9015797095c34e5

    SHA512

    108f84e26f601ba84d966125bd95a41e312df687f367ed1812dbf9d4d5c04ca0cdd228eedf35712ee47261c9b159f64f15aaf5d8563fba43c7134f6ec5cffd83

    Download Submit

  • C:\Users\Admin\AppData\Local\Office\Newtonsoft.Json.dll
    Filesize

    695KB

    MD5

    195ffb7167db3219b217c4fd439eedd6

    SHA1

    1e76e6099570ede620b76ed47cf8d03a936d49f8

    SHA256

    e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    SHA512

    56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Office\x64\SQLite.Interop.dll
    Filesize

    1.7MB

    MD5

    65ccd6ecb99899083d43f7c24eb8f869

    SHA1

    27037a9470cc5ed177c0b6688495f3a51996a023

    SHA256

    aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

    SHA512

    533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

    Download Submit

  • memory/1508-24-0x00007FFFA1860000-0x00007FFFA2321000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1508-49-0x0000017AFDF20000-0x0000017AFDFD2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1508-25-0x0000017AFE050000-0x0000017AFE578000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1508-26-0x0000017AFDB20000-0x0000017AFDDEA000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1508-27-0x0000017AFC560000-0x0000017AFC56A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1508-29-0x0000017AFC6B0000-0x0000017AFC6C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1508-47-0x0000017AFDDF0000-0x0000017AFDE5A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1508-23-0x0000017AFCFA0000-0x0000017AFD162000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1508-22-0x0000017AFA900000-0x0000017AFA91C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1508-21-0x00007FFFA1863000-0x00007FFFA1865000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1508-56-0x0000017AFDE60000-0x0000017AFDE9A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1508-57-0x0000017AFC6D0000-0x0000017AFC6F6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1508-61-0x00007FFFA1863000-0x00007FFFA1865000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1508-62-0x00007FFFA1860000-0x00007FFFA2321000-memory.dmp

    Filesize

    10.8MB

    Download