MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiscordRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747
SHA3-384 hash: b7cdb2aa43119267a6cf52632f7c63dea6e1e2a6b52086bc473c2f3aba4a8cd4d14f6f1d1ec5f2ec9032589b1e267b24
SHA1 hash: 50661d32315985eab2a70f1d1f6435b9563ca237
MD5 hash: 043e699dbf3d88b6cca5fbe64229ba27
humanhash: paris-uncle-hawaii-march
File name:bang_executor.exe
Download: download sample
Signature DiscordRAT
Create hunting rule
File size:678'979 bytes
First seen:2024-02-15 17:13:49 UTC
Last seen:2024-03-12 21:25:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep 6144:3E+yclwQKjdn+WPtYVJIoBf4xX26I6DqJM1tc2uQNQ5rHbIOohWy0f:3BdlwHRn+WlYV+Rp2yEM1tc2uYXOos
Threatray 54 similar samples on MalwareBazaar
TLSH T1FCE47D02BAC3D075EF21157887E0C699DA79BE944E35C6868FF0BC6CDA33AC65E30585
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 008e0f17171f8e00 (1 x DiscordRAT)
Reporter JaffaCakes118
Tags:DiscordRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
459
Origin country :
GB GB
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/476375/
Detection(s):
Win.Packed.Babar-10012967-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Launching cmd.exe command interpreter
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Changing the Windows explorer settings
Blocking the Windows Defender launch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
anti-vm barys cmd evasive fingerprint fingerprint installer lolbin netsh overlay packed schtasks setupapi sfx shdocvw shell32 stealer
Link:
https://www.filescan.io/uploads/65ce465cbae89e4fdc4ea284/reports/9a978e02-07d3-49be-9f0a-2565132773bc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7fe68fa2-838d-442b-8f99-52a0e13d24e2
Result
Threat name:
Dicrord Rat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1393035
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to disable the Task Manager (.Net Source)
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious PowerShell Parameter Substring
Uses cmd line tools excessively to alter registry or file data
Very long command line found
Yara detected Dicrord Rat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1393035 Sample: bang_executor.exe Startdate: 15/02/2024 Architecture: WINDOWS Score: 100 70 gateway.discord.gg 2->70 76 Antivirus detection for URL or domain 2->76 78 Yara detected Dicrord Rat 2->78 80 .NET source code contains potential unpacker 2->80 82 6 other signatures 2->82 11 bang_executor.exe 15 2->11         started        14 bang_executor.exe 2->14         started        signatures3 process4 file5 66 C:\Users\user\AppData\Local\...\executer.exe, PE32 11->66 dropped 68 C:\Users\user\AppData\...\bang_executor.exe, PE32+ 11->68 dropped 16 cmd.exe 1 11->16         started        19 WerFault.exe 14->19         started        process6 signatures7 74 Uses cmd line tools excessively to alter registry or file data 16->74 21 executer.exe 3 16->21         started        24 cmd.exe 1 16->24         started        26 cmd.exe 1 16->26         started        28 3 other processes 16->28 process8 dnsIp9 84 Multi AV Scanner detection for dropped file 21->84 86 Very long command line found 21->86 88 Machine Learning detection for dropped file 21->88 92 4 other signatures 21->92 31 cmd.exe 2 21->31         started        34 cmd.exe 1 21->34         started        36 conhost.exe 21->36         started        90 Uses cmd line tools excessively to alter registry or file data 24->90 38 reg.exe 1 1 24->38         started        40 conhost.exe 24->40         started        42 reg.exe 1 1 26->42         started        46 2 other processes 26->46 72 gateway.discord.gg 162.159.136.234, 443, 49729, 49730 CLOUDFLARENETUS United States 28->72 44 bang_executor.exe 2 28->44         started        48 3 other processes 28->48 signatures10 process11 signatures12 94 Bypasses PowerShell execution policy 31->94 50 conhost.exe 31->50         started        52 powershell.exe 34->52         started        54 conhost.exe 34->54         started        56 conhost.exe 34->56         started        96 Disable Task Manager(disabletaskmgr) 38->96 98 Disables the Windows task manager (taskmgr) 38->98 58 bang_executor.exe 42->58         started        60 WerFault.exe 44->60         started        process13 process14 62 WmiPrvSE.exe 52->62         started        64 WerFault.exe 58->64         started       
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747/
Threat name:
ByteCode-MSIL.Trojan.Dcstl
Create hunting rule
Status:
Malicious
First seen:
2024-02-15 17:14:06 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fsmv2cil3zjmum2vy7n2c2kldsdhr5jouplnlxuydrnlanzkw5dq._file
Verdict:
malicious
Similar samples:
1004ec56662bb7f748ceca118b5be12cb57746e0918a3d07aced6d3be5d91e76
DiscordRAT
5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d
DiscordRAT
68629e3af084903ccff0dceadc781316ec575f9a3a250e680de3505b5b4d1705
DiscordRAT
68aabd5eb17a4e1025b7e62cbcbc7714ab8f6d371842c7f1561fd62a86e82676
DiscordRAT
9eb24d44ddc752f420e32938606a4fe14f96216a2b501b8f735399fc7bfb85d2
DiscordRAT
d14a609c0c3757f80eec5475e599dd2804763620290a21076905d290524231a9
DiscordRAT
+ 44 additional samples on MalwareBazaar
Result
Malware family:
discordrat
Create hunting rule
Score:
  10/10
Tags:
family:discordrat evasion persistence rat rootkit stealer
Link:
https://tria.ge/reports/240215-vrzlqabh7v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Disables Task Manager via registry modification
Contains code to disable Windows Defender
Discord RAT
Modifies security service
Unpacked files
SH256 hash:
72f5cfe4df54e78cf4381f787091519c463fab0bc99aee1c5fe3e5044c29fe29
MD5 hash:
0a2687a75491902e0a702b073c938796
SHA1 hash:
1519413ac975338d3ca7b0fa6da4b7289caba41e
Link:
https://www.unpac.me/results/5a1d0ce3-a4f6-42a9-bc91-45edb9a74730/
SH256 hash:
82c67ed82a7a319c0ae30f92c187ea0150ac6ba6ef63d2d3b4fc999bb01d064f
MD5 hash:
e1ead094e52097b884389a8064b15e2b
SHA1 hash:
894f8db63a8f41f913a5f5c69d1199ec8ae3f213
Detections:
DiscordRAT2
Create hunting rule
Link:
https://www.unpac.me/results/5a1d0ce3-a4f6-42a9-bc91-45edb9a74730/
SH256 hash:
2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747
MD5 hash:
043e699dbf3d88b6cca5fbe64229ba27
SHA1 hash:
50661d32315985eab2a70f1d1f6435b9563ca237
Link:
https://www.unpac.me/results/5a1d0ce3-a4f6-42a9-bc91-45edb9a74730/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c995d090bde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DiscordRAT

Executable exe 2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/476375/
  
URLhaus
https://urlhaus.abuse.ch/url/2761957/

Comments