discordrat | a968f7738c801b8528bb717d3928ee75523833a882bdbc4b03bdc6e8ad4cb41a

Resubmissions

14-05-2024 15:13

240514-slrmtacd97 10

01-02-2024 17:51

240201-we464sdear 10

01-02-2024 01:30

240201-bwx4xagdd5 10

Analysis

max time kernel
19s
max time network
29s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
Size

11.4MB
MD5

2f3b5b60129dc43350bc54e67d59a4ac
SHA1

08cdc5d4d0628c619897bf465f279f7d30d42b9f
SHA256

268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0
SHA512

725593bf2587bd1c2a8c5be02c168ad739010118f68606df1234a0aa1c31f582556a0139539f3068e7f174cd516956be608d05c6a597720138556a8a606fb749
SSDEEP

196608:+XeSEzpCQdLjv+bhqNVoB8Ck5c7GpNlpq41J2mrl0bk9qtlDfJpNZYXz:q4PL+9qz88Ck+7q3p91JNRqfg

Score

10^/10

discordrat quasar r3 persistence rat rootkit spyware stealer trojan upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5ODg5OTYxNjc0MjEyNTYxOQ.GnQUlc.09G3jOrvsBUkj3tHkQPTbGic1sDnwN7xUFlV3o
server_id
1201324675507171409

Extracted

Family

quasar

Version

1.4.1

Botnet

96.42.209.236:1111

Mutex

fad4f0a7-8090-44d7-960d-b61c56ece71bz

Attributes

encryption_key
D280B26CAD37534E7E290E5D4BC1809E0C214936
install_name
Shadow.exe
log_directory
Logs
reconnect_delay
1
startup_key
Shadow
subdirectory
SubDir

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\P1.EXE	family_quasar
behavioral1/memory/784-95-0x00000000009F0000-0x0000000000D14000-memory.dmp	family_quasar
behavioral1/memory/2152-110-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar

Executes dropped EXE 5 IoCs

Processes:

BUILT.EXEBUILT.EXEDIS.EXEP1.EXEShadow.exe

pid process

2784 BUILT.EXE
3016 BUILT.EXE
2292 DIS.EXE
784 P1.EXE
2152 Shadow.exe

pid	process
2784	BUILT.EXE
3016	BUILT.EXE
2292	DIS.EXE
784	P1.EXE
2152	Shadow.exe

Loads dropped DLL 18 IoCs

Processes:

268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exeBUILT.EXEBUILT.EXEWerFault.exe

pid	process
2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
2784	BUILT.EXE
2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
3016	BUILT.EXE
3016	BUILT.EXE
3016	BUILT.EXE
3016	BUILT.EXE
3016	BUILT.EXE
3016	BUILT.EXE
3016	BUILT.EXE
2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
1384
1384

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI27842\python312.dll	upx
behavioral1/memory/3016-89-0x000007FEF5780000-0x000007FEF5E58000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

P1.EXE

description ioc process

File created C:\Windows\system32\SubDir\Shadow.exe P1.EXE
File opened for modification C:\Windows\system32\SubDir\Shadow.exe P1.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2904 schtasks.exe
1244 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

P1.EXEShadow.exe

description pid process

Token: SeDebugPrivilege 784 P1.EXE
Token: SeDebugPrivilege 2152 Shadow.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Shadow.exe

pid process

2152 Shadow.exe

description	ioc	process
File created	C:\Windows\system32\SubDir\Shadow.exe	P1.EXE
File opened for modification	C:\Windows\system32\SubDir\Shadow.exe	P1.EXE

pid	process
2904	schtasks.exe
1244	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	784	P1.EXE
Token: SeDebugPrivilege	2152	Shadow.exe

pid	process
2152	Shadow.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exeBUILT.EXEDIS.EXEP1.EXEShadow.exe

description	pid	process	target process
PID 2312 wrote to memory of 2784	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	BUILT.EXE
PID 2312 wrote to memory of 2784	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	BUILT.EXE
PID 2312 wrote to memory of 2784	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	BUILT.EXE
PID 2312 wrote to memory of 2784	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	BUILT.EXE
PID 2784 wrote to memory of 3016	2784	BUILT.EXE	BUILT.EXE
PID 2784 wrote to memory of 3016	2784	BUILT.EXE	BUILT.EXE
PID 2784 wrote to memory of 3016	2784	BUILT.EXE	BUILT.EXE
PID 2312 wrote to memory of 2292	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	DIS.EXE
PID 2312 wrote to memory of 2292	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	DIS.EXE
PID 2312 wrote to memory of 2292	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	DIS.EXE
PID 2312 wrote to memory of 2292	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	DIS.EXE
PID 2312 wrote to memory of 784	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	P1.EXE
PID 2312 wrote to memory of 784	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	P1.EXE
PID 2312 wrote to memory of 784	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	P1.EXE
PID 2312 wrote to memory of 784	2312	268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe	P1.EXE
PID 2292 wrote to memory of 2804	2292	DIS.EXE	WerFault.exe
PID 2292 wrote to memory of 2804	2292	DIS.EXE	WerFault.exe
PID 2292 wrote to memory of 2804	2292	DIS.EXE	WerFault.exe
PID 784 wrote to memory of 2904	784	P1.EXE	schtasks.exe
PID 784 wrote to memory of 2904	784	P1.EXE	schtasks.exe
PID 784 wrote to memory of 2904	784	P1.EXE	schtasks.exe
PID 784 wrote to memory of 2152	784	P1.EXE	Shadow.exe
PID 784 wrote to memory of 2152	784	P1.EXE	Shadow.exe
PID 784 wrote to memory of 2152	784	P1.EXE	Shadow.exe
PID 2152 wrote to memory of 1244	2152	Shadow.exe	schtasks.exe
PID 2152 wrote to memory of 1244	2152	Shadow.exe	schtasks.exe
PID 2152 wrote to memory of 1244	2152	Shadow.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe
"C:\Users\Admin\AppData\Local\Temp\268934cf9ac4371ad4e8afdc7e354cce287e9f2ce019df0797cc354b3a2efca0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\BUILT.EXE
"C:\Users\Admin\AppData\Local\Temp\BUILT.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\BUILT.EXE
"C:\Users\Admin\AppData\Local\Temp\BUILT.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016

C:\Users\Admin\AppData\Local\Temp\DIS.EXE
"C:\Users\Admin\AppData\Local\Temp\DIS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2292 -s 596
3⤵
- Loads dropped DLL
PID:2804

C:\Users\Admin\AppData\Local\Temp\P1.EXE
"C:\Users\Admin\AppData\Local\Temp\P1.EXE"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Shadow" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Shadow.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\SubDir\Shadow.exe
"C:\Windows\system32\SubDir\Shadow.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Shadow" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Shadow.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\P1.EXE

Filesize
3.1MB

MD5
30ff1a207b160f1f6605e91d4e12082f

SHA1
1e683010500f3cfc3acfdfe338193b79435a61c6

SHA256
e571f1a3c91573d5cee9ec3e01246659c69902e9e2e16b1c61384b417a09fb55

SHA512
55f3a2ec7542113464e0d14d66106fd6f2eed488aec2ba8eae845537b3ed573fd0bbabd2e34b86742bcaf12c88958de98805d5214366503a12d0458cd0004f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27842\api-ms-win-core-file-l1-2-0.dll

Filesize
12KB

MD5
49e3260ae3f973608f4d4701eb97eb95

SHA1
097e7d56c3514a3c7dc17a9c54a8782c6d6c0a27

SHA256
476fbad616e20312efc943927ade1a830438a6bebb1dd1f83d2370e5343ea7af

SHA512
df22cf16490faa0dc809129ca32eaf1a16ec665f9c5411503ce0153270de038e5d3be1e0e49879a67043a688f6c42bdb5a9a6b3cea43bf533eba087e999be653

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27842\api-ms-win-core-file-l2-1-0.dll

Filesize
12KB

MD5
7f14fd0436c066a8b40e66386ceb55d0

SHA1
288c020fb12a4d8c65ed22a364b5eb8f4126a958

SHA256
c78eab8e057bddd55f998e72d8fdf5b53d9e9c8f67c8b404258e198eb2cdcf24

SHA512
d04adc52ee0ceed4131eb1d133bfe9a66cbc0f88900270b596116064480afe6ae6ca42feb0eaed54cb141987f2d7716bb2dae947a025014d05d7aa0b0821dc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27842\api-ms-win-core-localization-l1-2-0.dll

Filesize
15KB

MD5
71457fd15de9e0b3ad83b4656cad2870

SHA1
c9c2caf4f9e87d32a93a52508561b4595617f09f

SHA256
db970725b36cc78ef2e756ff4b42db7b5b771bfd9d106486322cf037115bd911

SHA512
a10fcf1d7637effff0ae3e3b4291d54cc7444d985491e82b3f4e559fbb0dbb3b6231a8c689ff240a5036a7acae47421cda58aaa6938374d4b84893cce0077bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
13KB

MD5
e93816c04327730d41224e7a1ba6dc51

SHA1
3f83b9fc6291146e58afce5b5447cd6d2f32f749

SHA256
ca06ccf12927ca52d8827b3a36b23b6389c4c6d4706345e2d70b895b79ff2ec8

SHA512
beaab5a12bfc4498cdf67d8b560ef0b0e2451c5f4634b6c5780a857666fd14f8a379f42e38be1beefa1c3578b2df913d901b271719ac6794bfaab0731bb77bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
13KB

MD5
acf40d5e6799231cf7e4026bad0c50a0

SHA1
8f0395b7e7d2aac02130f47b23b50d1eab87466b

SHA256
64b5b95fe56b6df4c2d47d771bec32bd89267605df736e08c1249b802d6d48d1

SHA512
f66a61e89231b6dc95b26d97f5647da42400bc809f70789b9afc00a42b94ea3487913860b69a1b0ee59ed5eb62c3a0cade9e21f95da35fdd42d8ce51c5507632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27842\python312.dll

Filesize
1.8MB

MD5
2f1072ddd9a88629205e7434ed055b3e

SHA1
20da3188dabe3d5fa33b46bfe671e713e6fa3056

SHA256
d086257a6b36047f35202266c8eb8c1225163bd96b064d31b80f0dbe13da2acf

SHA512
d8dddc30733811ed9a9c4ae83ac8f3fc4d8ba3fa8051d95242fbd432fd5bf24122373ac5eea9fec78f0daf7c1133365f519a13cf3f105636da74820a00a25e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27842\ucrtbase.dll

Filesize
994KB

MD5
8e7680a8d07c3c4159241d31caaf369c

SHA1
62fe2d4ae788ee3d19e041d81696555a6262f575

SHA256
36cc22d92a60e57dee394f56a9d1ed1655ee9db89d2244a959005116a4184d80

SHA512
9509f5b07588a08a490f4c3cb859bbfe670052c1c83f92b9c3356afa664cb500364e09f9dafac7d387332cc52d9bb7bb84ceb1493f72d4d17ef08b9ee3cb4174

Download Submit
\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
3.1MB

MD5
ab309ba9fae8e72682ceba5926b0997b

SHA1
d0c49a7b28ff5ecb08133119639aa0ae30824e3d

SHA256
432cdc93c4e8830febf6ca7574f45bbcbc4ac8488fbfb5c85c7202ace77c5d83

SHA512
ae7535093356bacf26ea9715343d1bdb3c581e46b583d7b9d85c500341fd9be97251755e0f16a394fc694b7edf3b01629bafb7de58922f1cff07993a5404c27f

Download Submit
\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
7.1MB

MD5
b03655c4dd2c86e84e4c99ade21134e8

SHA1
f101036f4232e02736e726089813ffcbbc9c48e1

SHA256
810fb8d3368d2edc2b863b0184c8da1a97624724c4c749a88581ca84d1165a99

SHA512
fcea3f82a0fd3324c0ef66ba0770c4ac843612c20a4b080e882e5203325c53af37c43af5bf1dae262b46664edcb9fbfbffeab0961b1bd51c00fdb302b225592a

Download Submit
\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
8.2MB

MD5
4f0edd6aa6ed055178c68fa91c4a1528

SHA1
2838841a5dbf5b42683f371b6a37983cc4eba6d3

SHA256
d19c57f7ecf7bed74d23e5c11133bce8ca51d28869ed794abea65503d42f6096

SHA512
f2f3f8a73b8be538b9819fd5d99f112f4bc1de5386b5e42ba0f06a41265043f7465254c17dba2ce4a7c4264e7ec50e74efd8dd8e80745ff05961b08a284fdf08

Download Submit
\Users\Admin\AppData\Local\Temp\DIS.EXE

Filesize
78KB

MD5
b6310ca2c49b28fbac28fef7a0877d18

SHA1
8451bac38ac99353f658e7b0042fe653d4292da0

SHA256
f895e12abca5b1c4bbd96166ff1900b55e6fb2537b664b39bb140628531e8f65

SHA512
ba01e5f1295552a78b0ce58f25f4019a1d374918ab6a187cd07c2715a965a1a0c6a71b22a39d52ad20efeda0fc5c790a5afd64ff648f77b0538219c6e0d42e6c

Download Submit
memory/784-95-0x00000000009F0000-0x0000000000D14000-memory.dmp

Filesize
3.1MB

Download
memory/784-97-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/784-99-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/784-111-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-109-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-110-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/2152-112-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/2292-96-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-98-0x0000000002180000-0x0000000002200000-memory.dmp

Filesize
512KB

Download
memory/2292-94-0x000000013FBE0000-0x000000013FBF8000-memory.dmp

Filesize
96KB

Download
memory/2292-115-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-89-0x000007FEF5780000-0x000007FEF5E58000-memory.dmp

Filesize
6.8MB

Download