discordrat | 47680c12b9b928ff642864694790d799cd419668c4c96bdb58b1ae2818dbb574

Resubmissions

03/01/2024, 08:44

240103-knm4eacdcm 3

03/01/2024, 08:42

240103-kl956afaf7 10

03/01/2024, 08:35

240103-khc19acdbm 10

Analysis

max time kernel
27s
max time network
18s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hehegnp.scr
Size

1.3MB
MD5

a34f34fb4c3b4c36b3b81f97cdcb7ca3
SHA1

b56023dc51011bec0e91e54c9729f6e633a08867
SHA256

47680c12b9b928ff642864694790d799cd419668c4c96bdb58b1ae2818dbb574
SHA512

dfda79a26f6e419b07920efc27e5b8c40de4ca2a2d839c675c99cc8eb9bbb2b98b80729ecf36e3ef7fa247b41f51e8193e6cd874fe08418272a50d34d9a95cce
SSDEEP

24576:BNA3R5drX46t/YOd4prFamZa3wtdnJJ9NHuFkZhSq/JvU21wVcj2F76aP2GZ39wf:k546dbChJg3wtxz99ueZhSqtU2eVm2J0

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5MTk5ODM3NTg4OTk5Mzc4MA.G8Z16P.3jjREwtvwZBkdqbzBAXhIsaJmyZEYrq_haoKWM
server_id
1060150467436499004

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2648	nitro.exe

Loads dropped DLL 6 IoCs

pid	Process
2116	hehegnp.scr
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2716	DllHost.exe
2716	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2648	2116	hehegnp.scr	29
PID 2116 wrote to memory of 2648	2116	hehegnp.scr	29
PID 2116 wrote to memory of 2648	2116	hehegnp.scr	29
PID 2116 wrote to memory of 2648	2116	hehegnp.scr	29
PID 2648 wrote to memory of 2572	2648	nitro.exe	30
PID 2648 wrote to memory of 2572	2648	nitro.exe	30
PID 2648 wrote to memory of 2572	2648	nitro.exe	30

C:\Users\Admin\AppData\Local\Temp\hehegnp.scr
"C:\Users\Admin\AppData\Local\Temp\hehegnp.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\nitro.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\nitro.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2648 -s 596
    3⤵
    - Loads dropped DLL
    PID:2572

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hehe.png

Filesize
605KB

MD5
ebaa6cde0388c8264a56da1313c19b87

SHA1
c410f28de4546f69ccd622c805d4f7a268aedae8

SHA256
ffd73b49ff04017ad122bc4d7a4886cb3320a3e63778e54066bba686a635c729

SHA512
a356b9354198aa413621ee9fe9ce9366de10cacbd3842b7aa77aa81f4d03f115aedce6ab454baad90aa0773fa19c1c0203d06531aa68c06ce936f126b60dcefa

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\nitro.exe

Filesize
78KB

MD5
b276f6c9a652197f36c8ef95441b4840

SHA1
5ccfb78de6c40fce8145fa5725176d0c556d22a7

SHA256
7036bea5264e75b932fa942f337ad028e22bbd8e7bdfd9cad10241538aa07d60

SHA512
7c4ae8c8aab416a56974fcfba1bc09dd84a1c43a26bf5d74cbf667ea86827d2949006e74f9e16eba2a67a52af47e4972f7c2a5f681f407e0af6e67998aecf209

Download Submit
memory/2116-4-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

Filesize
8KB

Download
memory/2648-13-0x000000013F890000-0x000000013F8A8000-memory.dmp

Filesize
96KB

Download
memory/2648-14-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-16-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2648-22-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-5-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2716-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2716-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download