Resubmissions

26-11-2024 15:02

241126-sen84ssmen 10

21-11-2024 16:57

241121-vgdlhayjer 10

20-11-2024 20:52

241120-znzvjasrey 10

17-11-2024 15:34

241117-sz14easlbs 10

General

  • Target

    SIGMA.exe

  • Size

    8.4MB

  • Sample

    241126-sen84ssmen

  • MD5

    30e6d63f20707c4b9b9a3025432e0046

  • SHA1

    7b3247927b9c6a48a153f0caaf383fc5f0720d3a

  • SHA256

    80214672f15b4f10ed899f566dc70ef28123cb4c1c4d9e2df08c404414571399

  • SHA512

    cf1fabf80f19eb9d36e9b8748929fe86f9388249d8db715ef46936e16372dfbbe65492392002c81d7f7e8d9ecdb7a3cfcb18d46dc197fc86111196373c9e15d2

  • SSDEEP

    196608:VTuYyXwfI9jUCzi4H1qSiXLGVi7DMgpZASEyQ0VMwICEc/jb:vIHziK1piXLGVE4UrS0VJX

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMwNzY5MTM0MDAzNjk2NDM4NA.GlNnmM.EmCM5xkHRnU95wVkGidcxtbz7l0Jfhj7Erc0EI

  • server_id

    1307689713271836672

Targets

    • Target

      SIGMA.exe

    • Size

      8.4MB

    • MD5

      30e6d63f20707c4b9b9a3025432e0046

    • SHA1

      7b3247927b9c6a48a153f0caaf383fc5f0720d3a

    • SHA256

      80214672f15b4f10ed899f566dc70ef28123cb4c1c4d9e2df08c404414571399

    • SHA512

      cf1fabf80f19eb9d36e9b8748929fe86f9388249d8db715ef46936e16372dfbbe65492392002c81d7f7e8d9ecdb7a3cfcb18d46dc197fc86111196373c9e15d2

    • SSDEEP

      196608:VTuYyXwfI9jUCzi4H1qSiXLGVi7DMgpZASEyQ0VMwICEc/jb:vIHziK1piXLGVE4UrS0VJX

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Discordrat family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks