discordrat | 30e367291c1d580ec38f4d62387a7def1a81b533c83305dba3e9f5496b11c92a

General

Target

cracked_fn_cheat.rar
Size

26KB
MD5

c56ccaa38347aa58e847891d89e21bda
SHA1

e52363e985fe23b4f4a6438b4fa9cec772876f41
SHA256

30e367291c1d580ec38f4d62387a7def1a81b533c83305dba3e9f5496b11c92a
SHA512

30639f4eda169ad50299e64e3494617a6300b518ce202e7158019956189e5d926e719a18b732aa3d27987f7f3b7d93aa056e045475afe333886fc6cc07ea645c
SSDEEP

768:Eyn97kC2KvEOojzJyrxpCq7rGnuMn7IwFpe4:Ek7kHKMOoMrrCISnnZF/

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMzU2ODI2MzA3MDY3OTA1MQ.Gu70SU.UnRXXRdm2QBp35G5VDsqZeg5X4r13GI1NoSDBQ
server_id
1213575249237639189

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 3 IoCs

pid	Process
4584	cracked-fn-cheat.exe
4988	cracked-fn-cheat.exe
4700	cracked-fn-cheat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	discord.com
13	discord.com
19	discord.com
22	discord.com
30	discord.com
18	discord.com
21	discord.com
24	discord.com
26	discord.com
28	discord.com
29	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1692	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	2640	7zFM.exe
Token: 35	2640	7zFM.exe
Token: SeSecurityPrivilege	2640	7zFM.exe
Token: SeSecurityPrivilege	2640	7zFM.exe
Token: SeSecurityPrivilege	2640	7zFM.exe
Token: SeDebugPrivilege	4584	cracked-fn-cheat.exe
Token: SeSecurityPrivilege	2640	7zFM.exe
Token: SeDebugPrivilege	4988	cracked-fn-cheat.exe
Token: SeDebugPrivilege	4700	cracked-fn-cheat.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2640	7zFM.exe
2640	7zFM.exe
2640	7zFM.exe
2640	7zFM.exe
2640	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2640	5060	cmd.exe	74
PID 5060 wrote to memory of 2640	5060	cmd.exe	74
PID 2640 wrote to memory of 1692	2640	7zFM.exe	76
PID 2640 wrote to memory of 1692	2640	7zFM.exe	76
PID 2640 wrote to memory of 4584	2640	7zFM.exe	77
PID 2640 wrote to memory of 4584	2640	7zFM.exe	77

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\cracked_fn_cheat.rar
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\cracked_fn_cheat.rar"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO05A93479\README.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\7zO05A1BA39\cracked-fn-cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO05A1BA39\cracked-fn-cheat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4584

C:\Users\Admin\Desktop\cracked-fn-cheat.exe
"C:\Users\Admin\Desktop\cracked-fn-cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\Desktop\cracked-fn-cheat.exe
"C:\Users\Admin\Desktop\cracked-fn-cheat.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO05A1BA39\cracked-fn-cheat.exe

Filesize
78KB

MD5
7d98971a76d1d19ad9d7857a18f92720

SHA1
b3f926d0e440eb337f3ab9c3b271690dc7427262

SHA256
2726c5e06b2b9d775cc7b863593f9c8a177b8ba3844e4c9bf36928f3ad467d68

SHA512
531721adddb6e263ea61c6d5f1e209b921d6eb3217a28625449549c565dd4192f6d3040f4413c52b3f3b53543480582db036710c735fb7f1f596b5a114eca68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO05A93479\README.txt

Filesize
399B

MD5
9672c581382e208be03587296f2b0155

SHA1
109c9e5fc317c74e6c202ffcd809c43a70e7294b

SHA256
3c473bbeafaa01c6270ea156cc3e9ecd4c74bf8349d537e1fb4ce0381c5d6826

SHA512
36a327f94e65771834a21273f33f9e8ffbaf83352057b186c0757424e9cd87414ad9c5dd953b74fc63266ac0f183d16a4566a181e3c66b043fdc36f3bbbc01f9

Download Submit
memory/4584-10-0x000001F77BD10000-0x000001F77BD28000-memory.dmp

Filesize
96KB

Download
memory/4584-11-0x000001F77E430000-0x000001F77E5F2000-memory.dmp

Filesize
1.8MB

Download
memory/4584-12-0x00007FFD75B30000-0x00007FFD7651C000-memory.dmp

Filesize
9.9MB

Download
memory/4584-13-0x000001F77DAE0000-0x000001F77DAF0000-memory.dmp

Filesize
64KB

Download
memory/4584-14-0x000001F77EC30000-0x000001F77F156000-memory.dmp

Filesize
5.1MB

Download
memory/4584-17-0x00007FFD75B30000-0x00007FFD7651C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-27-0x00007FFD75B30000-0x00007FFD7651C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-28-0x0000018DC4660000-0x0000018DC4670000-memory.dmp

Filesize
64KB

Download
memory/4700-23-0x00007FFD75B30000-0x00007FFD7651C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-24-0x0000018DC4660000-0x0000018DC4670000-memory.dmp

Filesize
64KB

Download
memory/4988-20-0x00007FFD75B30000-0x00007FFD7651C000-memory.dmp

Filesize
9.9MB

Download
memory/4988-26-0x0000019F7C260000-0x0000019F7C270000-memory.dmp

Filesize
64KB

Download
memory/4988-25-0x00007FFD75B30000-0x00007FFD7651C000-memory.dmp

Filesize
9.9MB

Download
memory/4988-21-0x0000019F7C260000-0x0000019F7C270000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing