Resubmissions

19-10-2024 04:22

241019-ezkjrsxapd 10

19-10-2024 04:20

241019-eydd3axajc 10

Analysis

  • max time kernel
    139s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2024 04:22

General

  • Target

    celexcudeapito.exe

  • Size

    1.8MB

  • MD5

    7a83c409d62508be138dc3f34388a9b9

  • SHA1

    aa25aa410bebe70ebc198724ee6fcdb136c5b1c3

  • SHA256

    c4bca7bc159f3acc7aa640e0e0e4af9628589ee3f883b599130fa7106084e890

  • SHA512

    f0847f85eaff1134a9c0f7449d29cce42a36cfded599b6e16ee82188185da97451d3f2e6fe06ce9cf04a970fe980db5d039c27f972c7b45f26e726a74c092fe8

  • SSDEEP

    49152:ADjlabwz9qwXGH9WlwRkRIVI9w9S0RhFLTqKr:Aqw9MN9VIb6Lr

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI5NjYzNTE3NjA0MTk3NTgxOA.Gk_FFl.rzX6LBdObHooYXuBei4jkvA7oRi8ecnVq0nMZE

  • server_id

    1297012772168667258

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\celexcudeapito.exe
    "C:\Users\Admin\AppData\Local\Temp\celexcudeapito.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\vai se fuder roblox.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\vai se fuder roblox.exe"
      2⤵
      • Executes dropped EXE
      PID:4040
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

    Filesize

    78KB

    MD5

    f7615a8c2c53d5df88f53c7ca1f970cd

    SHA1

    85ca41cc160bf72b8e0aac6130fe386b0c72ed94

    SHA256

    104b5e98f3360cf01eca20384c828ff07ca8256191dbf2331919c49614a22fab

    SHA512

    be36994146def7d9af634bacb931bbdabf0f63f6f963f0a935719aa924104381e65bc374d71314af90ca5a7126eb1e80a7d90eb5954f5e1ba47fee9e2fabe9ee

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\vai se fuder roblox.exe

    Filesize

    2.2MB

    MD5

    f16cf9f4ca1b3c6d78525a6b6decd80f

    SHA1

    29eaff2fd438c415931aae1b6846d195debade9b

    SHA256

    0b8fe49d12a5077d652ea5ce99e6db3ac6239c1ac4df6888c45d3c5e0c32895a

    SHA512

    034a003180fdafbd8304c28b8f465bd44218190c35a6e18a510df52a2bae25e16dc8e26945429fa2a9ccc1ca401f17cbcaa418b5339e6ddad921d46a9832c87d

  • memory/3264-21-0x00007FFFDF3C3000-0x00007FFFDF3C5000-memory.dmp

    Filesize

    8KB

  • memory/3264-22-0x000001F7D37E0000-0x000001F7D37F8000-memory.dmp

    Filesize

    96KB

  • memory/3264-23-0x000001F7EDF50000-0x000001F7EE112000-memory.dmp

    Filesize

    1.8MB

  • memory/3264-24-0x00007FFFDF3C0000-0x00007FFFDFE81000-memory.dmp

    Filesize

    10.8MB

  • memory/3264-25-0x000001F7EF140000-0x000001F7EF668000-memory.dmp

    Filesize

    5.2MB

  • memory/3264-26-0x00007FFFDF3C3000-0x00007FFFDF3C5000-memory.dmp

    Filesize

    8KB

  • memory/3264-27-0x00007FFFDF3C0000-0x00007FFFDFE81000-memory.dmp

    Filesize

    10.8MB

  • memory/3264-29-0x00007FFFDF3C0000-0x00007FFFDFE81000-memory.dmp

    Filesize

    10.8MB