discordrat | b1db6f56fd54ccada5e2d84d6830d0dd6474d9016a8882fe9d3ce7c999eb9433

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-03-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofer.exe
Size

213KB
MD5

71773fceb3e9e624116bbe0034cae4e2
SHA1

795393e8513d7aaaef6e9eadce048083782b5803
SHA256

b1db6f56fd54ccada5e2d84d6830d0dd6474d9016a8882fe9d3ce7c999eb9433
SHA512

43c1fe2be143a47564c163a2fed3063a258006e73a54bad0b4c92a927511a66689ac7272d0ab8f5de966bf1d700f8cdbf6d9931198286f1c0c98f52578186ebd
SSDEEP

3072:UVqoCl/YgjxEufVU0TbTyDDalRmZv5PDwbjNrmAE+UICK:UsLqdufVUNDaKv5PDwbBr4I1

Score

10^/10

discordrat evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMjk3MDU3NzQ3Njg1Mzg1MQ.Gpr3-A.ODtb265fO5nQSxjWVk2bkBLn74EdnIfOD3ZZAg
server_id
1212969962608664636

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
1732	spoofer.exe
2652	icsys.icn.exe
2828	explorer.exe
2416	spoolsv.exe
2412	svchost.exe
2904	spoolsv.exe

Loads dropped DLL 11 IoCs

pid	Process
2884	spoofer.exe
1972	WerFault.exe
1972	WerFault.exe
1972	WerFault.exe
1972	WerFault.exe
1972	WerFault.exe
2884	spoofer.exe
2652	icsys.icn.exe
2828	explorer.exe
2416	spoolsv.exe
2412	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	spoofer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2784	schtasks.exe
1184	schtasks.exe
1760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2884	spoofer.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe
2412	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2828	explorer.exe
2412	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2884	spoofer.exe
2884	spoofer.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2828	explorer.exe
2828	explorer.exe
2416	spoolsv.exe
2416	spoolsv.exe
2412	svchost.exe
2412	svchost.exe
2904	spoolsv.exe
2904	spoolsv.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 1732	2884	spoofer.exe	28
PID 2884 wrote to memory of 1732	2884	spoofer.exe	28
PID 2884 wrote to memory of 1732	2884	spoofer.exe	28
PID 2884 wrote to memory of 1732	2884	spoofer.exe	28
PID 1732 wrote to memory of 1972	1732	spoofer.exe	29
PID 1732 wrote to memory of 1972	1732	spoofer.exe	29
PID 1732 wrote to memory of 1972	1732	spoofer.exe	29
PID 2884 wrote to memory of 2652	2884	spoofer.exe	30
PID 2884 wrote to memory of 2652	2884	spoofer.exe	30
PID 2884 wrote to memory of 2652	2884	spoofer.exe	30
PID 2884 wrote to memory of 2652	2884	spoofer.exe	30
PID 2652 wrote to memory of 2828	2652	icsys.icn.exe	31
PID 2652 wrote to memory of 2828	2652	icsys.icn.exe	31
PID 2652 wrote to memory of 2828	2652	icsys.icn.exe	31
PID 2652 wrote to memory of 2828	2652	icsys.icn.exe	31
PID 2828 wrote to memory of 2416	2828	explorer.exe	32
PID 2828 wrote to memory of 2416	2828	explorer.exe	32
PID 2828 wrote to memory of 2416	2828	explorer.exe	32
PID 2828 wrote to memory of 2416	2828	explorer.exe	32
PID 2416 wrote to memory of 2412	2416	spoolsv.exe	33
PID 2416 wrote to memory of 2412	2416	spoolsv.exe	33
PID 2416 wrote to memory of 2412	2416	spoolsv.exe	33
PID 2416 wrote to memory of 2412	2416	spoolsv.exe	33
PID 2412 wrote to memory of 2904	2412	svchost.exe	34
PID 2412 wrote to memory of 2904	2412	svchost.exe	34
PID 2412 wrote to memory of 2904	2412	svchost.exe	34
PID 2412 wrote to memory of 2904	2412	svchost.exe	34
PID 2828 wrote to memory of 2112	2828	explorer.exe	35
PID 2828 wrote to memory of 2112	2828	explorer.exe	35
PID 2828 wrote to memory of 2112	2828	explorer.exe	35
PID 2828 wrote to memory of 2112	2828	explorer.exe	35
PID 2412 wrote to memory of 2784	2412	svchost.exe	36
PID 2412 wrote to memory of 2784	2412	svchost.exe	36
PID 2412 wrote to memory of 2784	2412	svchost.exe	36
PID 2412 wrote to memory of 2784	2412	svchost.exe	36
PID 2412 wrote to memory of 1184	2412	svchost.exe	41
PID 2412 wrote to memory of 1184	2412	svchost.exe	41
PID 2412 wrote to memory of 1184	2412	svchost.exe	41
PID 2412 wrote to memory of 1184	2412	svchost.exe	41
PID 2412 wrote to memory of 1760	2412	svchost.exe	43
PID 2412 wrote to memory of 1760	2412	svchost.exe	43
PID 2412 wrote to memory of 1760	2412	svchost.exe	43
PID 2412 wrote to memory of 1760	2412	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884
- \??\c:\users\admin\appdata\local\temp\spoofer.exe
  c:\users\admin\appdata\local\temp\spoofer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1732 -s 596
    3⤵
    - Loads dropped DLL
    PID:1972
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2652
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2416
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2904
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:03 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2784
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:04 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1184
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:05 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1760
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\spoofer.exe

Filesize
78KB

MD5
494defc2662b517bc1ce1fff129881f4

SHA1
c2ae106ebdc0feed41ea4964f807899a6e5f45a2

SHA256
9e185c933a0fa13ef2cdb9da5a2f9c9ceccfd477cb30684b8729e0219435afcf

SHA512
d582c6cd003e23d303ff047c835b6fb443e832d7fc4f66a5e800dbb764d00838d5b1ad4d1d9b1bcade96fc30e066e9c4026afc3d0a2d078b555f0e40ad557c04

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
cccb35592bc5e882effcf04e2a304ec7

SHA1
db2d53a415017f751156a68e3e3ea91058cab466

SHA256
a420613ff3f9aad927e07625668c928004404d65a1357d957c038a5c0b4992bd

SHA512
f7fd008d90baf749f87cb64a03bf1dd3194f13855a65f74daebbaf8e45ae7882bb4405f074a8cc2ea3407dd2c4baf2e1e0f8ae54bdbe86048188eef30ec81ba0

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6c5f2559b59e8528e716df06f8b758aa

SHA1
57035e3a7ee16ea81f607c5c7442b9f872e768b2

SHA256
96fb614f8ed6a2c05d748de152064d22032ee5d4af05e9851240521e4be41388

SHA512
3cdbbc1f9e5698d535cf83f90c1c55800b48bb8dd68c2e649223e400073acf0c2a09514d2d26aa5be11b95be7e1e0c3cdfa1c600531f5ae7ffe5f65e60be07c8

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
6b4a4b0e78ae0a70552a6cca5cc56f42

SHA1
6b0f8ceed528915352581618b233f322d8c7e390

SHA256
207816c35744731f08773f4724ef5ceb3c0c4ae232a684f0bebc450dd62cc2d5

SHA512
93ae1e1c92642038a969749beb86cd43ab902f367f26f7b969f23785b3858c17f6eaad1521de1af47f70a519f140c5157793a4da295f68eff1b08b21b7d804ca

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
c3be41025d42f4c7e9fbc7ba4cd879dc

SHA1
4ce091fc5b502834e1ac418791191fb9f95118e6

SHA256
f2582af32c61db2ef037ee1cc066bd45d73c80225f68a45dc73a24398cd8fa31

SHA512
5c9c59f6493908e670fe9f9156edb70e5cf3ad8b7d1bd9663e6c9206ac46a00c882267fc232789ccc3fda5e31dad9308857aa230f99e62fa27c5d81a46d959e8

Download Submit
memory/1732-54-0x000000001BA90000-0x000000001BB10000-memory.dmp

Filesize
512KB

Download
memory/1732-10-0x000000013F690000-0x000000013F6A8000-memory.dmp

Filesize
96KB

Download
memory/1732-11-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-12-0x000000001BA90000-0x000000001BB10000-memory.dmp

Filesize
512KB

Download
memory/1732-71-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-45-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2416-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2416-57-0x0000000001B80000-0x0000000001B9F000-memory.dmp

Filesize
124KB

Download
memory/2416-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2652-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2884-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2884-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2884-21-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2904-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download