discordrat | b1db6f56fd54ccada5e2d84d6830d0dd6474d9016a8882fe9d3ce7c999eb9433

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofer.exe
Size

213KB
MD5

71773fceb3e9e624116bbe0034cae4e2
SHA1

795393e8513d7aaaef6e9eadce048083782b5803
SHA256

b1db6f56fd54ccada5e2d84d6830d0dd6474d9016a8882fe9d3ce7c999eb9433
SHA512

43c1fe2be143a47564c163a2fed3063a258006e73a54bad0b4c92a927511a66689ac7272d0ab8f5de966bf1d700f8cdbf6d9931198286f1c0c98f52578186ebd
SSDEEP

3072:UVqoCl/YgjxEufVU0TbTyDDalRmZv5PDwbjNrmAE+UICK:UsLqdufVUNDaKv5PDwbBr4I1

Score

10^/10

discordrat evasion persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMjk3MDU3NzQ3Njg1Mzg1MQ.Gpr3-A.ODtb265fO5nQSxjWVk2bkBLn74EdnIfOD3ZZAg
server_id
1212969962608664636

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
548	spoofer.exe
2988	icsys.icn.exe
4900	explorer.exe
2376	spoolsv.exe
648	svchost.exe
4852	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
43	discord.com
65	raw.githubusercontent.com
66	raw.githubusercontent.com
68	discord.com
70	discord.com
36	discord.com
37	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	spoofer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
1556	spoofer.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2988	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4900	explorer.exe
648	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	spoofer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1556	spoofer.exe
1556	spoofer.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
4900	explorer.exe
4900	explorer.exe
2376	spoolsv.exe
2376	spoolsv.exe
648	svchost.exe
648	svchost.exe
4852	spoolsv.exe
4852	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 548	1556	spoofer.exe	89
PID 1556 wrote to memory of 548	1556	spoofer.exe	89
PID 1556 wrote to memory of 2988	1556	spoofer.exe	94
PID 1556 wrote to memory of 2988	1556	spoofer.exe	94
PID 1556 wrote to memory of 2988	1556	spoofer.exe	94
PID 2988 wrote to memory of 4900	2988	icsys.icn.exe	95
PID 2988 wrote to memory of 4900	2988	icsys.icn.exe	95
PID 2988 wrote to memory of 4900	2988	icsys.icn.exe	95
PID 4900 wrote to memory of 2376	4900	explorer.exe	96
PID 4900 wrote to memory of 2376	4900	explorer.exe	96
PID 4900 wrote to memory of 2376	4900	explorer.exe	96
PID 2376 wrote to memory of 648	2376	spoolsv.exe	97
PID 2376 wrote to memory of 648	2376	spoolsv.exe	97
PID 2376 wrote to memory of 648	2376	spoolsv.exe	97
PID 648 wrote to memory of 4852	648	svchost.exe	98
PID 648 wrote to memory of 4852	648	svchost.exe	98
PID 648 wrote to memory of 4852	648	svchost.exe	98

C:\Users\Admin\AppData\Local\Temp\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556
- \??\c:\users\admin\appdata\local\temp\spoofer.exe
  c:\users\admin\appdata\local\temp\spoofer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2988
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2376
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:648
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\spoofer.exe

Filesize
78KB

MD5
494defc2662b517bc1ce1fff129881f4

SHA1
c2ae106ebdc0feed41ea4964f807899a6e5f45a2

SHA256
9e185c933a0fa13ef2cdb9da5a2f9c9ceccfd477cb30684b8729e0219435afcf

SHA512
d582c6cd003e23d303ff047c835b6fb443e832d7fc4f66a5e800dbb764d00838d5b1ad4d1d9b1bcade96fc30e066e9c4026afc3d0a2d078b555f0e40ad557c04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
5187519d8ae90db704129f0ebc5c7738

SHA1
a7a842809ad36b0b4630deec882ca70505e2a8ea

SHA256
4fd6b67ca76d3b158762b01fcdbe07552f54907ea751d4b3987c57c0f154e769

SHA512
b46aa5aefc61f2191aa2efb960f0683298be1b04814fa5ec4e331383fa9e6567363743f60e1f47ca01bc89d8c3e04e1cd0f6de2bf1ac9de5ec586f98118384f5

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6c5f2559b59e8528e716df06f8b758aa

SHA1
57035e3a7ee16ea81f607c5c7442b9f872e768b2

SHA256
96fb614f8ed6a2c05d748de152064d22032ee5d4af05e9851240521e4be41388

SHA512
3cdbbc1f9e5698d535cf83f90c1c55800b48bb8dd68c2e649223e400073acf0c2a09514d2d26aa5be11b95be7e1e0c3cdfa1c600531f5ae7ffe5f65e60be07c8

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
7070dcd8d32bd2ea502e8f2998aa6a3c

SHA1
92249085ffcede454a092b5f80faf8425349af16

SHA256
d32a3d4d6ffdb2eee45c6f46867b68963dc012e9580e1a6259a32a8b487a5b51

SHA512
004c442dbf9f06e3dcf70b6b56c8eae053de05b1cba6e6b88dde7f34bc01dcdf349bb3e794618a80185d642f40811ac9b5211f219060f5884278076261cae580

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
2b72c8f87d36290cfa86ed2a71abe7f4

SHA1
a7d092b1822a02b8d2373f7329a77754dd16dd61

SHA256
65b9d4291ac4390d51b5fa5d69dfea4f7b35c69578ec33d8aa3448f439f53152

SHA512
cdbb45a87835ad3079a1662a8b5d56b19b72ee2f1cadd510ee8cd0b9dec0600333186c4c8094b4ab9c4fbdf546e8f53286969482a82632b4a15f7c1e047d5119

Download Submit
memory/548-12-0x0000027027180000-0x0000027027190000-memory.dmp

Filesize
64KB

Download
memory/548-55-0x0000027027180000-0x0000027027190000-memory.dmp

Filesize
64KB

Download
memory/548-58-0x00000270275C0000-0x00000270275DE000-memory.dmp

Filesize
120KB

Download
memory/548-57-0x00000270271C0000-0x00000270271D2000-memory.dmp

Filesize
72KB

Download
memory/548-11-0x00007FF857340000-0x00007FF857E01000-memory.dmp

Filesize
10.8MB

Download
memory/548-10-0x00000270271D0000-0x0000027027392000-memory.dmp

Filesize
1.8MB

Download
memory/548-9-0x000002700CC00000-0x000002700CC18000-memory.dmp

Filesize
96KB

Download
memory/548-48-0x00007FF857340000-0x00007FF857E01000-memory.dmp

Filesize
10.8MB

Download
memory/548-56-0x0000027027620000-0x0000027027696000-memory.dmp

Filesize
472KB

Download
memory/548-13-0x00000270279D0000-0x0000027027EF8000-memory.dmp

Filesize
5.2MB

Download
memory/1556-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2988-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2988-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4852-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4852-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download