Extracted

• • Target

    virus/Virus.exe

  • Size

    431KB

  • MD5

    59830c5bd23ee9a6731ab53357bae10c

  • SHA1

    686d8930f5fd18a9b94a196fab728995d4f0a23c

  • SHA256

    562da82431e0531463bd5ae23c4f52a74f8c279a3f172ea803b589f4259a904d

  • SHA512

    63be6b7ff9486438e7a8e51ce7154a7d44ba51d324818a571fe06f5c8c1375129afe9851051148f466e00e704c1a950dc1a60a94c3506fb5caf98a44f0aa94ef

  • SSDEEP

    6144:pc9yzJpeQF2ZcbTzHznY8XHyldgaPGr++7+EK/zJDi3RC4AQNMIoYrmLUMn5k:4yveQB/fTHIGaPkKEYzURNAwbAgMn5k

  Score

  10^/10

  discordratdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationratrootkitspywarestealertrojan

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat

  • Discordrat family

    discordrat

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • UAC bypass

    evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Manipulates Digital Signatures

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Boot or Logon Autostart Execution: Print Processors

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Blocklisted process makes network request

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • An obfuscated cmd.exe command-line is typically used to evade detection.

  • Drops file in System32 directory

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of SetThreadContext

  behavioral1

• • Target

    virus/resources/Discord.exe

  • Size

    78KB

  • MD5

    4a65257ccc7cc5c6440dcefe5ad4523f

  • SHA1

    0ee7ba38ed1f16cf4aaea11edb64e8275d674c10

  • SHA256

    e82cec44f57277f6172f89f7107b46754e5d0f3aed3ce61c8dac13b258218dcf

  • SHA512

    23839a073fcd6872edd105c7f8a8baca7dfa7c25f6f8c4e3e0c3f9da37862493c80825a5582c338d89fc08e35bc1fe9941b49cb7731b24f607e0fb06504b7449

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+ZPIC:5Zv5PDwbjNrmAE+pIC

  Score

  10^/10

  discordratdefense_evasionpersistenceratrootkitstealer

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat

  • Discordrat family

    discordrat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  behavioral2

• • Target

    virus/resources/Gen.exe

  • Size

    37.3MB

  • MD5

    d42259a00c855fd74a801ba985c8c461

  • SHA1

    cd197e5db4eda2d7fc2e5836ac6e2d783bf2d95c

  • SHA256

    ef03f85be4432bf02d4f2c51d06ad58fd0c3cbb6d56aa21219f922ac985da564

  • SHA512

    6f2d47ac0043abd9a44795ca8a195cfafa2ac274afb7bd4daf4dfaf30fd612a5c971fd5e409d89315319920efaedd723dbfc2d091aac57c2f99509947f3d171a

  • SSDEEP

    393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgH96l+ZArYsFRlUPb:R3on1HvSzxAMNHFZArYscPvzP7OZu

  Score

  10^/10

  discoveryevasionexecutionpersistencespywarestealertrojan

  • UAC bypass

    evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Blocklisted process makes network request

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • An obfuscated cmd.exe command-line is typically used to evade detection.

  • Drops file in System32 directory

  • Enumerates processes with tasklist

    discovery
  behavioral3

• • Target

    virus/resources/nitro.py

  • Size

    344B

  • MD5

    c8da61d14ba6f678299a245425342120

  • SHA1

    02c2eac1ac13a41e9e228ed208699e18ed78df65

  • SHA256

    c20d3ef3f674052b2782d3db3e6173bdb2d962f769dca3243f18bd4db6d01096

  • SHA512

    359ccf0702403394dabc6d5c5b5c18293ff32bac4bab8572dbab824b68ef3ba8be89c392f3c2ab522d1b53b648e911733c9e77951bc282dfa3037576b940869c

  Score

  3^/10
  behavioral4