General
-
Target
Versal Wallet Miner.exe
-
Size
17.3MB
-
Sample
241126-22dwbstrcx
-
MD5
f14fd88ea6e9a20ee19a040258131eb0
-
SHA1
b9fcbc22750fc71d4e0d77bee73f983dd60c15df
-
SHA256
cada552cf5b6543a9912f10595dd2f0e09439aae82807ab5c89c0530f709ebe1
-
SHA512
c48446c60a2c3d895d13392a45949e572efdc9c61bce4bc1286c6cf1aabd5668d92d1a1f3c3a8e1dd247db943b562cf29f1854bf6774034d365dd80a067ce412
-
SSDEEP
393216:lqbrPQ+neovbHYi5P2LQHi9yAf6x0/u0cQzZo/0sH5JnivJM0tH:4brY+eo4i5PuQHi4L0/uiCPZJAa0
Malware Config
Extracted
discordrat
-
discord_token
MTMwODc0NzE1MTI1MzE4MDU2OA.GbxO_D._a3OsoX5ZAA2u6bHkqnYVm1ylz4DH0RyRqIHUA
-
server_id
1308746945250066522
Targets
-
-
Target
Versal Wallet Miner.exe
-
Size
17.3MB
-
MD5
f14fd88ea6e9a20ee19a040258131eb0
-
SHA1
b9fcbc22750fc71d4e0d77bee73f983dd60c15df
-
SHA256
cada552cf5b6543a9912f10595dd2f0e09439aae82807ab5c89c0530f709ebe1
-
SHA512
c48446c60a2c3d895d13392a45949e572efdc9c61bce4bc1286c6cf1aabd5668d92d1a1f3c3a8e1dd247db943b562cf29f1854bf6774034d365dd80a067ce412
-
SSDEEP
393216:lqbrPQ+neovbHYi5P2LQHi9yAf6x0/u0cQzZo/0sH5JnivJM0tH:4brY+eo4i5PuQHi4L0/uiCPZJAa0
Score10/10-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3