blankgrabber | 30d29f3317addb221e07bae9878dac952f502a6343ac3c37a936e02d555d5a22

General

Target

Token Re‮tab..exe
Size

7.8MB
Sample

240917-aptx8sxdqa
MD5

83af1843b8d2cdd68fa8064b52b2a29d
SHA1

2a5655b4b2ef26bbcc4fa0d7631498d9e2fd0e26
SHA256

30d29f3317addb221e07bae9878dac952f502a6343ac3c37a936e02d555d5a22
SHA512

5dfa2d3443ec0d02836fbef056c30ee7965258a3c17f0a47220e0f4754ca96122d961b6c0ca62ecdd92470f79eb45440e58672c80500ff0b1daf39e7f055d181
SSDEEP

196608:1WgVVEh8jwfI9jUC2gYBYv3vbW2+iITx1U6ne:NVVEh8QIH2gYBgDWJTnze

Score

10^/10

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4NTAwMzc1NzkxODM1OTYyMw.Gvjd_n.v2Jf3rhF7r3NQw_Wjfz5Ww53FvhOODLIX3HLxQ
server_id
1285119911030689833

Targets

- Target
  
  Token Re‮tab..exe
- Size
  
  7.8MB
- MD5
  
  83af1843b8d2cdd68fa8064b52b2a29d
- SHA1
  
  2a5655b4b2ef26bbcc4fa0d7631498d9e2fd0e26
- SHA256
  
  30d29f3317addb221e07bae9878dac952f502a6343ac3c37a936e02d555d5a22
- SHA512
  
  5dfa2d3443ec0d02836fbef056c30ee7965258a3c17f0a47220e0f4754ca96122d961b6c0ca62ecdd92470f79eb45440e58672c80500ff0b1daf39e7f055d181
- SSDEEP
  
  196608:1WgVVEh8jwfI9jUC2gYBYv3vbW2+iITx1U6ne:NVVEh8QIH2gYBgDWJTnze
Score

10^/10

upx discordrat collection credential_access defense_evasion discovery execution persistence privilege_escalation rat rootkit spyware stealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2