Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
26/01/2025, 06:17
250126-g134lswjbr 1026/01/2025, 00:44
250126-a3vrpawkay 1025/01/2025, 07:43
250125-jkl69ssqat 1025/01/2025, 06:18
250125-g2zsks1nck 1007/11/2024, 17:59
241107-wksehawmb1 1006/11/2024, 11:31
241106-nm7m7szapg 1005/11/2024, 22:04
241105-1y6aqsynhv 1005/11/2024, 21:53
241105-1rm6ksyhqe 1004/11/2024, 20:03
241104-ysp1fsvrfz 10Analysis
-
max time kernel
27s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/11/2024, 11:31
Behavioral task
behavioral1
Sample
ImageLogger-cleaned.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
ImageLogger-cleaned.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
ImageLogger-cleaned.exe
-
Size
78KB
-
MD5
8460a2ac97b2c6d2658664c718f84533
-
SHA1
110f9849759ff8b034fdf0eb36445c37187858af
-
SHA256
6a88e4cd73a6a4b7768b1df63aa7ff54d911568d3cd62d88c4b447cec1cb1ff2
-
SHA512
2286e4429ac1e829150db13b9896c9f6db7d6da4b2003742c831edfd2a21e29565e87bd97a9ef98802f20239d9c89139c5026a331506d4f24da4bd8f4a19affe
-
SSDEEP
1536:2a/yGXNiPw3iU8Bz/oNrfxCXhRoKV6+V+kPIZ:lEzgNrmAE+4IZ
Malware Config
Extracted
discordrat
-
discord_token
MTI5NzUzOTkxNjAxNTg2NTkwNw.Gfdmm0.1DHqcqM266sEW3k8XieYxIORIkysBrFHb6r-3Q
-
server_id
1297365710649036921
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2544 taskmgr.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe -
Suspicious use of SendNotifyMessage 42 IoCs
pid Process 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe 2544 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2312 2520 ImageLogger-cleaned.exe 30 PID 2520 wrote to memory of 2312 2520 ImageLogger-cleaned.exe 30 PID 2520 wrote to memory of 2312 2520 ImageLogger-cleaned.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ImageLogger-cleaned.exe"C:\Users\Admin\AppData\Local\Temp\ImageLogger-cleaned.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2520 -s 6002⤵PID:2312
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2544
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2880