Overview

overview

10

Static

static

10

LoaderBasic.exe

windows7-x64

10

LoaderBasic.exe

windows10-2004-x64

Analysis

  • max time kernel
    124s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 03:15

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    LoaderBasic.exe

  • Size

    92KB

  • MD5

    46094da1bb8a34bf64fdf689691b2595

  • SHA1

    9b95170dd9c718a14e49396a9f8a374e72357220

  • SHA256

    cb6d814bf564af56be38a29e93aebd665c29736179462cfb9f9b69f946af8466

  • SHA512

    0a1fb7d4d540161501978dde8a141ac899f35e3e8cce0a7a54d712592de9512e86392ed265811f44ecc930a42f17b96cf572d31901cde3646be19cedb99e1657

  • SSDEEP

    1536:EbPuJtGN8F+9okEPBAqcBPDyc5I0bpAkAfLgbGNrE9xCIpOMel53:SuJkN8FwokzBBPDyc5RQgbGNrPlt

Score
10/10
discordratpersistenceransomwareratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTEyODc1NDE4NjI0MzI5NzMwMg.G_xQWE.8Vr08GKNWwCukUxcxGqNOzrKAxZRbWmAMlXKag

  • server_id

    1316838123023630386

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 3 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LoaderBasic.exe
    "C:\Users\Admin\AppData\Local\Temp\LoaderBasic.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C msg * a
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\system32\msg.exe
        msg * a
        3⤵
          PID:1128

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/552-1-0x0000024ED47A0000-0x0000024ED47BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/552-0-0x00007FFEE9E93000-0x00007FFEE9E95000-memory.dmp

      Filesize

      8KB

      Download

    • memory/552-2-0x0000024EEEDE0000-0x0000024EEEFA2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/552-3-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/552-4-0x0000024EEF5E0000-0x0000024EEFB08000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/552-5-0x00007FFEE9E93000-0x00007FFEE9E95000-memory.dmp

      Filesize

      8KB

      Download

    • memory/552-6-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

      Filesize

      10.8MB

      Download