Analysis
-
max time kernel
399s -
max time network
400s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 11:26
Static task
static1
Behavioral task
behavioral1
Sample
badassfuckingtien.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
badassfuckingtien.exe
Resource
win10v2004-20241007-en
General
-
Target
badassfuckingtien.exe
-
Size
840KB
-
MD5
264db47eec711ef618870219832e5dfe
-
SHA1
116d2ff601d6640d3fe24fb67492ca2c82d9bbd9
-
SHA256
5c8b1d9c70780e1e669b4b34b0e190f6a691b8ada42179e248513feafe5b9ee5
-
SHA512
1672cbd9273987fd2d3cb1f843e2e28bb4c107913e0d1562ce6cdd7a403ba40e1bdd05647f3d89b0b00a8dff8328c9fad342f1b771ee391990db6d4855d8ad56
-
SSDEEP
24576:9uDXTIGaPhEYzUzA0q5VR0cNnns+UrZtb5jpXw86qh:gDjlabwz9iVR0WnQZ5xpA86qh
Malware Config
Extracted
discordrat
-
discord_token
MTMxMzYwMzQzNTY5MzYwOTEwMg.G0k280.tlujv7Qu1u6uHZMDdDCuyzSTaLQITkGmfU0u3s
-
server_id
1312325986385264681
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
badassfuckingtien.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation badassfuckingtien.exe -
Executes dropped EXE 1 IoCs
Processes:
backdoor.exepid Process 1668 backdoor.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
Processes:
flow ioc 46 discord.com 47 raw.githubusercontent.com 48 raw.githubusercontent.com 49 discord.com 50 discord.com 52 raw.githubusercontent.com 17 discord.com 22 discord.com 54 discord.com 53 discord.com 19 discord.com 45 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
backdoor.exedescription pid Process Token: SeDebugPrivilege 1668 backdoor.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
badassfuckingtien.exedescription pid Process procid_target PID 2788 wrote to memory of 1668 2788 badassfuckingtien.exe 92 PID 2788 wrote to memory of 1668 2788 badassfuckingtien.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\badassfuckingtien.exe"C:\Users\Admin\AppData\Local\Temp\badassfuckingtien.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD583584a62c33baae3be8b48c32ae4acb6
SHA19bb68ea8bb9f2c2e54d9a0efff4a66a512ac90b5
SHA25656bc5859994282eb5b672c9b27c2ef7cad232af34c9033077a949b04d6c55c58
SHA512554caabadea24ad0c2f0e1c55632d76b12e2f19ce506f5dffa39f841e35d263bffb001e2f6ebab043070794f97f988802e3db086092e28f262b36569ed8c7d79