MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiscordRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd
SHA3-384 hash: 17ed3000f630812b351cfbbf0b488aed9053b469da367e5be99722bdaabbcc92266c98a0a96d2bb5357687e27435cf7a
SHA1 hash: 42962a264fbdbc96eb8267052298be9143ecd8bf
MD5 hash: 4e1e436848d533c9a00b762ac148786d
humanhash: montana-virginia-item-nine
File name:SecuriteInfo.com.FileRepMalware.1834.13764
Download: download sample
Signature DiscordRAT
Create hunting rule
File size:122'880 bytes
First seen:2024-05-25 18:20:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7182b1ea6f92adbf459a2c65d8d4dd9e (5 x CoinMiner, 4 x RedLineStealer, 4 x DCRat)
ssdeep 3072:EV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPxJ:pt5hBPi0BW69hd1MMdxPe9N9uA069TBz
TLSH T1BDC32756B2E01198EBF581F6D9920746EB7074311B15A3DB6B7863B31B2B8C68F3D390
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:DiscordRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd.exe
Verdict:
Malicious activity
Analysis date:
2024-05-25 18:23:40 UTC
Tags:
loader evasion telegram remote xworm
Link:
https://app.any.run/tasks/a0bf9983-8322-4880-943a-f7ad90abab1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.1834.13764.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66522c2f007f34c83d6d2c06win7simulatehigh_evasion
Tags:
Banker Encryption Execution Network Stealth Malware Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
DNS request
Launching a tool to kill processes
Unauthorized injection to a recently created process
Forced shutdown of a browser
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin powershell shell32 xworm
Link:
https://www.filescan.io/uploads/66522c105ebb21a54994222a/reports/a9a1f7d2-1bde-482e-9fae-4dbe64ddbfab/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TurtleVenom
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02b9e797-d714-45ac-838e-694abef7f1de
Result
Threat name:
Discord Token Stealer, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1447531
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Excessive usage of taskkill to terminate processes
Found malware configuration
Found Tor onion address
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Discord Token Stealer
Yara detected Generic Downloader
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447531 Sample: SecuriteInfo.com.FileRepMal... Startdate: 25/05/2024 Architecture: WINDOWS Score: 100 65 pastebin.com 2->65 67 api.telegram.org 2->67 69 ip-api.com 2->69 81 Snort IDS alert for network traffic 2->81 83 Multi AV Scanner detection for domain / URL 2->83 85 Found malware configuration 2->85 91 23 other signatures 2->91 10 SecuriteInfo.com.FileRepMalware.1834.13764.exe 8 2->10         started        12 winlogon.exe 2->12         started        15 winlogon.exe 2->15         started        17 2 other processes 2->17 signatures3 87 Connects to a pastebin service (likely for C&C) 65->87 89 Uses the Telegram API (likely for C&C communication) 67->89 process4 signatures5 19 cmd.exe 1 10->19         started        107 Antivirus detection for dropped file 12->107 109 Multi AV Scanner detection for dropped file 12->109 111 Machine Learning detection for dropped file 12->111 process6 process7 21 rm.exe 15 5 19->21         started        26 ram.exe 9 19->26         started        28 curl.exe 2 19->28         started        30 2 other processes 19->30 dnsIp8 71 ip-api.com 208.95.112.1 TUT-ASUS United States 21->71 73 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 21->73 77 2 other IPs or domains 21->77 59 C:\ProgramData\winlogon.exe, PE32 21->59 dropped 93 Antivirus detection for dropped file 21->93 95 Multi AV Scanner detection for dropped file 21->95 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->97 105 7 other signatures 21->105 32 powershell.exe 21->32         started        35 powershell.exe 21->35         started        37 powershell.exe 21->37         started        45 2 other processes 21->45 99 Found Tor onion address 26->99 101 Tries to harvest and steal browser information (history, passwords, etc) 26->101 103 Excessive usage of taskkill to terminate processes 26->103 39 taskkill.exe 1 26->39         started        41 taskkill.exe 1 26->41         started        43 taskkill.exe 1 26->43         started        47 12 other processes 26->47 75 188.212.100.57, 49704, 54391 TELESYSTEM-ASRO Romania 28->75 61 C:\Users\user\Desktop\ram.exe, PE32+ 28->61 dropped 63 C:\Users\user\Desktop\rm.exe, PE32 30->63 dropped file9 signatures10 process11 signatures12 79 Loading BitLocker PowerShell Module 32->79 49 conhost.exe 32->49         started        51 conhost.exe 35->51         started        53 conhost.exe 37->53         started        55 conhost.exe 45->55         started        57 conhost.exe 45->57         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd/
Threat name:
Win64.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2024-05-18 22:49:52 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57gtdl6xatad3csipidmpfn3u7vauhg6bbtnr7h5id2mhtqzpo6q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240525-wza4rsdg52/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5ee5a71e-71db-4070-9b54-2e42e34ca7e7
Unpacked files
SH256 hash:
efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd
MD5 hash:
4e1e436848d533c9a00b762ac148786d
SHA1 hash:
42962a264fbdbc96eb8267052298be9143ecd8bf
Link:
https://www.unpac.me/results/c435be7a-e284-420f-a5fc-76804832d4a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.DLL::timeBeginPeriod
SHELL_APIManipulates System ShellSHELL32.DLL::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::GetTempFileNameW
WIN_USER_APIPerforms GUI ActionsUSER32.DLL::CreateWindowExW

Comments