Overview

overview

10

Static

static

3

3bacfe46c9...e5.exe

windows7-x64

10

3bacfe46c9...e5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bacfe46c94013a1ac4391aad3703b66c83c5f24b83988a20aa0688b75e38be5.exe

  • Size

    312KB

  • MD5

    206c5e9315996b26d6522aa75affdb5c

  • SHA1

    618ad2c12f81a1a6520b8abfcbcada10bb18f353

  • SHA256

    3bacfe46c94013a1ac4391aad3703b66c83c5f24b83988a20aa0688b75e38be5

  • SHA512

    d033501360cab478372d9738f0b1ea818bd4ee3de2f760623440696060e8f88e4e0775b7807ce979b77175c54fa5155d3fb23e8ddb11097ac7a4e959e98cff14

  • SSDEEP

    6144:hIIcrXQ4S33w614mazUBHfSdocWYD24BfiDFinGTH8LR:/crNS33L10QdrX4fqinGALR

Score
10/10
discordratdiscoverypersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxOTg2OTgyOTM2MDEyODA3MQ.G49tLk.gKrl1f-9DXCakQDl5EQiEC-4rrMdZtmrIPsZ_M

  • server_id

    1319869367160275024

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bacfe46c94013a1ac4391aad3703b66c83c5f24b83988a20aa0688b75e38be5.exe
    "C:\Users\Admin\AppData\Local\Temp\3bacfe46c94013a1ac4391aad3703b66c83c5f24b83988a20aa0688b75e38be5.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
    Filesize

    78KB

    MD5

    0729e0a7bd07e3c627461aba5c4fdf3d

    SHA1

    7ed085a379bab804f36b991dedc263570e9cca8c

    SHA256

    4587d63506c1ea2a973c09ed4ac7778911165143c111cece96c96bc6d0c8ac48

    SHA512

    036a803c16d7936cc4a4c16817e49e57994d4558baadfb945222013018a687fa9656efe95027a597a9f064de3eaa4633b32b2fe5a71e8efb25de02ec130aeb08

    Download Submit

  • memory/456-12-0x00007FFF2AC83000-0x00007FFF2AC85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/456-13-0x0000022A04680000-0x0000022A04698000-memory.dmp

    Filesize

    96KB

    Download

  • memory/456-14-0x0000022A1EE30000-0x0000022A1EFF2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/456-15-0x00007FFF2AC80000-0x00007FFF2B741000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/456-16-0x0000022A1F630000-0x0000022A1FB58000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/456-17-0x00007FFF2AC83000-0x00007FFF2AC85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/456-18-0x00007FFF2AC80000-0x00007FFF2B741000-memory.dmp

    Filesize

    10.8MB

    Download