Overview

overview

10

Static

static

3

ad085243fc...de.exe

windows7-x64

10

ad085243fc...de.exe

windows10-2004-x64

Analysis

  • max time kernel
    77s
  • max time network
    87s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 19:03

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ad085243fcf91d0898c71f4210270e518bb33a408a2685528f4c6d4eb22b3bde.exe

  • Size

    526KB

  • MD5

    92bb43f6f8a760822a4c9dba73e6b48c

  • SHA1

    e806fc23f2d36fef6ca27691958de54042d46115

  • SHA256

    ad085243fcf91d0898c71f4210270e518bb33a408a2685528f4c6d4eb22b3bde

  • SHA512

    e8bb117112702d37446e972373e89000d38c2e4ae60eb9cf6042de0b79f7b3f963327c0a4407e573ad02b87a23cd5244b167e2f655a5723ed9736221328f87d8

  • SSDEEP

    12288:byveQB/fTHIGaPkKEYzURNAwbAg8gXD8hJWvL957N:buDXTIGaPhEYzUzA0q+D8hJILx

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI2Nzk0OTE4MzA2ODAxNjY4Mg.GloXQt.SglpUgV9VY8CpfcHZ0q4PtoqMh7uTBo72Ssxkc

  • server_id

    1301935595399938108

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad085243fcf91d0898c71f4210270e518bb33a408a2685528f4c6d4eb22b3bde.exe
    "C:\Users\Admin\AppData\Local\Temp\ad085243fcf91d0898c71f4210270e518bb33a408a2685528f4c6d4eb22b3bde.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32.exe
    Filesize

    78KB

    MD5

    969aef976f510fda3e48243cba5bc4a7

    SHA1

    d4a34820041a3d97d1d9d8a472a539c4cbbe3f0d

    SHA256

    b2e97beeda99d18067e4dfe48042c6cef48b5bcedf65e6a91bde519f75be14a9

    SHA512

    834fcd840046636f7e2be008db8feada3cfd676ba3eba1282ec51caac89799d63e78c6d9fef71d8e3da88166847fe1548b5546b1e2a0a9b7dfc8c30df9efdc17

    Download Submit

  • memory/2816-14-0x00007FFD6BCB3000-0x00007FFD6BCB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2816-15-0x000001BCE75C0000-0x000001BCE75D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2816-16-0x000001BCE9C20000-0x000001BCE9DE2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2816-17-0x00007FFD6BCB0000-0x00007FFD6C771000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2816-18-0x000001BCEAD10000-0x000001BCEB238000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2816-19-0x00007FFD6BCB3000-0x00007FFD6BCB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2816-20-0x00007FFD6BCB0000-0x00007FFD6C771000-memory.dmp

    Filesize

    10.8MB

    Download