General

  • Target

    https://stable.dl2.discordapp.net/distro/app/stable/win/x64/1.0.9197/DiscordSetup.exe

  • Sample

    250630-tps6gs1sex

Malware Config

Targets

    • Target

      https://stable.dl2.discordapp.net/distro/app/stable/win/x64/1.0.9197/DiscordSetup.exe

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v16

Tasks