Overview

overview

10

Static

static

10

Pharaoh executor.exe

windows11-21h2-x64

10

Resubmissions

17-01-2025 14:19

250117-rnbhyasjfq 10

Analysis

  • max time kernel
    163s
  • max time network
    171s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-01-2025 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pharaoh executor.exe

  • Size

    78KB

  • MD5

    67704f500aeba4f18486e5a45c323270

  • SHA1

    eced935899eec5690c5c629609c7f14e6f2e7b65

  • SHA256

    98e6b9e414f6656129d0354500298099b579c6f3be734c1cb4f6ef2c5c1697e9

  • SHA512

    6b1c3fd771899c86ec1f726bb39564f97251caa01ab57177059830356d96cbdc75cd8d98660740a4778a13d11493172468b0632401aa77a7482205acc89e0bfc

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+ePIC:5Zv5PDwbjNrmAE+aIC

Score
10/10
discordratpersistenceratrootkitspywarestealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMyOTgwOTU2Njg4MzY0MzQ3NA.GVHs26._y_WggY_G50UL40yHSqpk4DJou__dKr0rqoBgM

  • server_id

    1325490052163309628

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Pharaoh executor.exe
    "C:\Users\Admin\AppData\Local\Temp\Pharaoh executor.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4052
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004E8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4052-0-0x00007FFA94BD3000-0x00007FFA94BD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4052-1-0x000001D8FB740000-0x000001D8FB758000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4052-2-0x000001D8FDD50000-0x000001D8FDF12000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4052-3-0x00007FFA94BD0000-0x00007FFA95692000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4052-4-0x000001D8FF120000-0x000001D8FF648000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4052-5-0x00007FFA94BD3000-0x00007FFA94BD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4052-6-0x00007FFA94BD0000-0x00007FFA95692000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4052-7-0x000001D8FEBF0000-0x000001D8FEEBA000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4052-8-0x000001D8FFE50000-0x000001D8FFEC6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4052-9-0x000001D8FDC40000-0x000001D8FDC52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4052-10-0x000001D8FEEE0000-0x000001D8FEEFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4052-11-0x000001D900000000-0x000001D9000AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/4052-12-0x00007FFA94BD0000-0x00007FFA95692000-memory.dmp

    Filesize

    10.8MB

    Download