Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Solara.exe

  • Size

    2.8MB

  • Sample

    250210-xmm38sslbs

  • MD5

    81d5f68b29a52cc6b377efeda2dba50e

  • SHA1

    6ed4ee24fe54795277c91b9b89caae9acc1aa7ac

  • SHA256

    152b7fd3a13aa795e5595624ab38482b67054ac00fa4a44642584d6f87f53b56

  • SHA512

    41cc179a805c5a8781b410e75fa4052c2a845b48a34441832acf9995e486323cb5fbd9d5af9410753a51e1efadf64c77e577b5e579fbfbee90ac64f3405acfb4

  • SSDEEP

    49152:kDjlabwz9SxZCoaKzEtNv0pS5A2yP3t8YXQc7ZEtySwZ3bFwbWvmkBdz4iiDm738:0qwAGoaYELcEByP3S29WyHZ3bFGqRK

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxOTM1MTE1MDM2OTE4MTc4Ng.GhTORv.7TYxVVKGyzEoJDzqxZxw3WiemuXUrw_-lNIJk8

  • server_id

    1313127388531523726

Targets

    • Target

      Solara.exe

    • Size

      2.8MB

    • MD5

      81d5f68b29a52cc6b377efeda2dba50e

    • SHA1

      6ed4ee24fe54795277c91b9b89caae9acc1aa7ac

    • SHA256

      152b7fd3a13aa795e5595624ab38482b67054ac00fa4a44642584d6f87f53b56

    • SHA512

      41cc179a805c5a8781b410e75fa4052c2a845b48a34441832acf9995e486323cb5fbd9d5af9410753a51e1efadf64c77e577b5e579fbfbee90ac64f3405acfb4

    • SSDEEP

      49152:kDjlabwz9SxZCoaKzEtNv0pS5A2yP3t8YXQc7ZEtySwZ3bFwbWvmkBdz4iiDm738:0qwAGoaYELcEByP3S29WyHZ3bFGqRK

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Discordrat family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Network Share Discovery

      Attempt to gather information on host network.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks