discordrat | 3ce93b5813e1b8534a70b227f7e8503e10c3480607032c9744354faa2ac4a070

Analysis

max time kernel
1800s
max time network
1701s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nova Patcher V2.exe
Size

78KB
MD5

ef61bc4d93013d6072d6b6b4b2231f58
SHA1

a604af75290366150af26cb64bd9bedc01ab7b78
SHA256

3ce93b5813e1b8534a70b227f7e8503e10c3480607032c9744354faa2ac4a070
SHA512

4cb794bac0eba98e54affbb7c1620113409b3065c515e7565e31848ad2a446010f7216459e7f0f101013e46847a309f56967866ba7b20a85650e51572c3ebc6a
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+kPIC:5Zv5PDwbjNrmAE+4IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5MzM5NjMyNzQzNDk0NDUzMg.GQtyFE.630ymbBowAmccfehQ9LqT14nEeJOjZV4R1iwvU
server_id
1193395247854653511

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2548	320	Nova Patcher V2.exe	28
PID 320 wrote to memory of 2548	320	Nova Patcher V2.exe	28
PID 320 wrote to memory of 2548	320	Nova Patcher V2.exe	28
PID 2576 wrote to memory of 2872	2576	chrome.exe	30
PID 2576 wrote to memory of 2872	2576	chrome.exe	30
PID 2576 wrote to memory of 2872	2576	chrome.exe	30
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2944	2576	chrome.exe	32
PID 2576 wrote to memory of 2472	2576	chrome.exe	33
PID 2576 wrote to memory of 2472	2576	chrome.exe	33
PID 2576 wrote to memory of 2472	2576	chrome.exe	33
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34
PID 2576 wrote to memory of 1344	2576	chrome.exe	34

C:\Users\Admin\AppData\Local\Temp\Nova Patcher V2.exe
"C:\Users\Admin\AppData\Local\Temp\Nova Patcher V2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 320 -s 596
  2⤵
  PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6cf9758,0x7fef6cf9768,0x7fef6cf9778
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1088 --field-trial-handle=1300,i,8750901498699101702,8116637395847972042,131072 /prefetch:2
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1300,i,8750901498699101702,8116637395847972042,131072 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1300,i,8750901498699101702,8116637395847972042,131072 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2260 --field-trial-handle=1300,i,8750901498699101702,8116637395847972042,131072 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1300,i,8750901498699101702,8116637395847972042,131072 /prefetch:1
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1092 --field-trial-handle=1300,i,8750901498699101702,8116637395847972042,131072 /prefetch:2
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3180 --field-trial-handle=1300,i,8750901498699101702,8116637395847972042,131072 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 --field-trial-handle=1300,i,8750901498699101702,8116637395847972042,131072 /prefetch:8
  2⤵
  PID:1144

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
faaa61d03c45666e691ec57b15ad5bfc

SHA1
6f039f4d9eb48385138b1d3e4f88b98893f09db2

SHA256
55f30ff9d4ab7b94cc1c43ce79fb69f0e53f67e4650ac946c714daf0d1b2bad6

SHA512
11f14e22b376859957555c139463401eb22c82410f340213543781845f6b473aa4c372ae8795877b86fbc2d3f7a7ee5e0230bf3a2643e3515e0d42d12cd0f433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
9c13c6efb4f5a0330f13eaaa541142e1

SHA1
458ed6261a373a00adcd62a760743487f6262d04

SHA256
714de9da2ffab44c1566fac3b93d8d46f38a16f9135d03149752456217103ae0

SHA512
386d37501eb6ccfa1abeb04b6ea45cc69a0ccb2bf6ce5d5dd2dc9f8304bca298a0c51a2544eb1386d810e9cf29fe864ec3720bddbd45e21f7fc20e480db93a48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
d0de0a332522deb5d7118f27b66bb203

SHA1
76ff277faba58e2d4ae6ce0339665fcef4a19773

SHA256
de86bf0565ee9732be97f031098a9099016ccd5a8f72436ef8a1932436ecbf25

SHA512
db778d6a2a62b1667a08e53862302b1c1f1c386c540b7b91af04d7463e3be4b5bd5fde2a947758e6db5bef8a793f579bca0ec70b1aebedb8a55a8911e18fb303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d6c41e79-c415-44c6-ac81-19042febc479.tmp

Filesize
4KB

MD5
74c5d473e54e8c46db2c15e449dcb9ca

SHA1
65ebd6e51aa36c69f26dde590a0c0b826f2dd716

SHA256
2a399f12a5f6efc56b5e5999fa397117a336e7eca16cec1b68cbfbff5d736672

SHA512
9e9d1f45e3c826bf142d85dd00d9a72a7d747ab9b585b9badabab0b449ad216148e937d521f7ab6638e05e31a11308adfdc2809257ab5834abd18a1a2aa0508d

Download Submit
memory/320-0-0x000000013F2B0000-0x000000013F2C8000-memory.dmp

Filesize
96KB

Download
memory/320-1-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/320-2-0x000000001BAB0000-0x000000001BB30000-memory.dmp

Filesize
512KB

Download
memory/320-3-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download