Overview

overview

10

Static

static

10

ImageLogge...ed.exe

windows7-x64

10

ImageLogge...ed.exe

windows10-2004-x64

10

Resubmissions

07-11-2024 17:59

241107-wksehawmb1 10

06-11-2024 11:31

241106-nm7m7szapg 10

05-11-2024 22:04

241105-1y6aqsynhv 10

05-11-2024 21:53

241105-1rm6ksyhqe 10

04-11-2024 20:03

241104-ysp1fsvrfz 10

04-11-2024 20:03

241104-yspppaypcq 10

04-11-2024 20:03

241104-ysn36aypcp 10

04-11-2024 20:03

241104-ysnsdswhmm 10

04-11-2024 20:03

241104-ysm6vswhml 10

Analysis

  • max time kernel
    27s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2024 11:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ImageLogger-cleaned.exe

  • Size

    78KB

  • MD5

    8460a2ac97b2c6d2658664c718f84533

  • SHA1

    110f9849759ff8b034fdf0eb36445c37187858af

  • SHA256

    6a88e4cd73a6a4b7768b1df63aa7ff54d911568d3cd62d88c4b447cec1cb1ff2

  • SHA512

    2286e4429ac1e829150db13b9896c9f6db7d6da4b2003742c831edfd2a21e29565e87bd97a9ef98802f20239d9c89139c5026a331506d4f24da4bd8f4a19affe

  • SSDEEP

    1536:2a/yGXNiPw3iU8Bz/oNrfxCXhRoKV6+V+kPIZ:lEzgNrmAE+4IZ

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI5NzUzOTkxNjAxNTg2NTkwNw.Gfdmm0.1DHqcqM266sEW3k8XieYxIORIkysBrFHb6r-3Q

  • server_id

    1297365710649036921

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ImageLogger-cleaned.exe
    "C:\Users\Admin\AppData\Local\Temp\ImageLogger-cleaned.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2520 -s 600
      2⤵
        PID:2312
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2544
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2880

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2520-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2520-1-0x000000013F680000-0x000000013F698000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2520-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2520-3-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2544-4-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2544-5-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2544-6-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2544-7-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download