blankgrabber | 7c0ea7aaa73815e7a3e7a459b567024bb418afab7a9e2b638a667e2ae331e282

General

Target

PoabGrabber.exe
Size

6.1MB
Sample

241229-h9qqbawnfp
MD5

735103629b36f00e5e0f2d366eaae44f
SHA1

0c71ea959fcf6f3549ad3d7b9392157f54939bdc
SHA256

7c0ea7aaa73815e7a3e7a459b567024bb418afab7a9e2b638a667e2ae331e282
SHA512

f499e720129abfec0c0c5bec2cdfd0d2aac04e2e2225e1992c330332aaf317b1695903875a184d31e4a45e28d5711b2fa3b5771e7541e9a6ada3728dbfed8192
SSDEEP

196608:W0umWQLVOjmFwDRxtYSHdK34kdai7bN3m2kSvW863:SwwK2pM9B3QtWi3

Score

10^/10

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMjU3MTk2NDc1MzM4MzQzNA.Gv_tyW.c2mPpnZyoEbjQAuLnYJeYs1MlEgjP2g9Mw53Ro
server_id
1322573461851471983

Targets

- Target
  
  PoabGrabber.exe
- Size
  
  6.1MB
- MD5
  
  735103629b36f00e5e0f2d366eaae44f
- SHA1
  
  0c71ea959fcf6f3549ad3d7b9392157f54939bdc
- SHA256
  
  7c0ea7aaa73815e7a3e7a459b567024bb418afab7a9e2b638a667e2ae331e282
- SHA512
  
  f499e720129abfec0c0c5bec2cdfd0d2aac04e2e2225e1992c330332aaf317b1695903875a184d31e4a45e28d5711b2fa3b5771e7541e9a6ada3728dbfed8192
- SSDEEP
  
  196608:W0umWQLVOjmFwDRxtYSHdK34kdai7bN3m2kSvW863:SwwK2pM9B3QtWi3
Score

10^/10

upx discordrat collection credential_access defense_evasion discovery execution persistence privilege_escalation rat rootkit spyware stealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2