General

  • Target

    reni-discord-rat.zip

  • Size

    16.4MB

  • Sample

    240804-hm1xrsyfrj

  • MD5

    88b1dcb52381de7b1a4d22bdbaa965ca

  • SHA1

    e27fc20733c1b05cf233405b54c0c7ec1728a796

  • SHA256

    4541b6437ea08c7fa890b11d01dce587d7061a2c2c737c5daeed57721e71aa6a

  • SHA512

    ff671d2e434cea80187778fd27bb3a0017f62187078a6616401e096e4dd503e7dc6074e7ed61791789bb307449eb8c78553251af8f893dc56c01728fa90868bc

  • SSDEEP

    393216:Gj+CQE0xNJZEZwWUK7v5bo1HYkuyrZvH3p02ro:Gj+p3qZAK7poZUyN/yIo

Malware Config

Targets

    • Target

      Renicail/renicail_menu.exe

    • Size

      16.6MB

    • MD5

      1e242ecb3a0bd6a3bbb510cdf4b2250c

    • SHA1

      9bde576d012509aaf8e3febe6fe2a1ab21f6437d

    • SHA256

      cf6257d55f51e99a4f7a5cacd0a611dda670fcb38c7779fd32615efab2dcf824

    • SHA512

      b002270faaf5fd2065c973768353031b7f808af23949f0e1a03121b96c63b93a46ff4be735ebd3929f76f0ff2dfa29e765205c5e205d0990316591b6abc73414

    • SSDEEP

      393216:hu7L/pxgQ2aUX47d4arXsS8RzdChdjaK1:hCLBqQ2aUI7d4arXsS0KaK

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks