discordrat | fd87009643f3b6cfa5f335c2a1d2c4d1dc0ca6106a4d7f75734eada3b95f3d76

Analysis

max time kernel
16s
max time network
26s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
04-03-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

execut0r.exe
Size

8.8MB
MD5

9b6717d0b11c5dbff515dded2d5eec8b
SHA1

9812786de0e8d6ab2a8802b35753b4d29bbdaaaa
SHA256

fd87009643f3b6cfa5f335c2a1d2c4d1dc0ca6106a4d7f75734eada3b95f3d76
SHA512

1a0160930baf2d900dbf39d48def7af6966c9dc16906d472697e2c168b6b6712699513dc0e8a2c2119486b8f5ff83edfc0bf0d5ab0cd6222c0e3a7c502184883
SSDEEP

196608:3V5xiBq1qBIsqgHi+YI5bcZc8QXEM3SuZHUWaTpC:F5Mk1quz+YIiZcN3Su5UxpC

Score

10^/10

discordrat persistence pyinstaller rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5NzYwOTgxMzYwMTk1OTk4Ng.GgsKXB.EHNlZThtGnz_SHhuJyaCkxAQVdMHBW1S3Y1PI0
server_id
1197608956537872415

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftDefenderExclusions.lnk	mover.exe

Executes dropped EXE 4 IoCs

pid	Process
3004	mover.exe
2124	mover.exe
1116	MicrosoftDefenderExclusions.exe
1812	executor.exe

Loads dropped DLL 10 IoCs

pid	Process
2124	mover.exe
2124	mover.exe
2124	mover.exe
2124	mover.exe
2124	mover.exe
2124	mover.exe
2124	mover.exe
2124	mover.exe
2124	mover.exe
2124	mover.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
5	discord.com
8	discord.com
9	discord.com
1	discord.com
4	discord.com

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000600000002a7ef-6.dat	pyinstaller
behavioral1/files/0x000600000002a7ef-9.dat	pyinstaller
behavioral1/files/0x000600000002a7ef-32.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	MicrosoftDefenderExclusions.exe
Token: SeDebugPrivilege	1812	executor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 3004	2316	execut0r.exe	78
PID 2316 wrote to memory of 3004	2316	execut0r.exe	78
PID 3004 wrote to memory of 2124	3004	mover.exe	82
PID 3004 wrote to memory of 2124	3004	mover.exe	82
PID 2124 wrote to memory of 1116	2124	mover.exe	83
PID 2124 wrote to memory of 1116	2124	mover.exe	83
PID 2316 wrote to memory of 1812	2316	execut0r.exe	84
PID 2316 wrote to memory of 1812	2316	execut0r.exe	84

C:\Users\Admin\AppData\Local\Temp\execut0r.exe
"C:\Users\Admin\AppData\Local\Temp\execut0r.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\mover.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mover.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\mover.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mover.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\MicrosoftDefenderExclusions\MicrosoftDefenderExclusions.exe
      C:\MicrosoftDefenderExclusions\MicrosoftDefenderExclusions.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1116
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\executor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\executor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\executor.exe

Filesize
78KB

MD5
138389e9565cb5da7144975a1b1edca4

SHA1
ea61aef27e0ded30a07eb4c498e030ef33029452

SHA256
5e7a1326804a8b1a2aa38f805e60a64939b2db2cebdfd3ecedd9f1a5e5f9d4c7

SHA512
de1d9063dc8c12f22d41c1cde5ea9dfe3c7425cf939d0a868bc76fe27f53a4280074da57fdc0d00dcf67c626bc1b31f35fc117aa49a3484dc10ab7402bee6aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mover.exe

Filesize
1.9MB

MD5
24c87b4d65d55a368bc057be040478ea

SHA1
61bea74d49aa3ccac19ed9ba58232bc37970a2d7

SHA256
341526ee3f333027a38e1c78eb5f7175183221e385fabd3867c434946c3f6a13

SHA512
a86498386ff553ad4a108a6094b3330c05ffc2db02be04a1b13cd27c43df76bcb71f6252ee45fabf1422e6dd7b7a9eac0cf0b98f24b8646d3493de38f9fd5c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mover.exe

Filesize
5.3MB

MD5
54cffaa99cdeeaebce080e410747ae86

SHA1
21f708ce183e20269f0a2977a78cb4e02a1d1cc6

SHA256
eabfa23dbbc1c0e2c48a125ace8e5287ad413ddd3ccb92ab79d162ba11c9cd27

SHA512
0aff79f63ddaa9970c1bf4d5859131f42e4b1348f6495e247f5ec8bc01f4d25e56942375e87dfe1a50d61f9b1f59b4b65758df8381029769a3b2a2f991654f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mover.exe

Filesize
8.6MB

MD5
64c82f0693d28a0821d0d50d0b00f5a5

SHA1
185ae5df3f309acefe9755095de50b650a3c289e

SHA256
c729334f8d7267198bfdb40fd40ffe6dd1ac90a40ffb0041871d08a361f5f9bd

SHA512
ad2f323b6009953ee1189e6bf5d803bca149d1ce24067dce5356f08c60de62f08288a79dafa4714749f834052673f1581e94a2f85f4a63356892cd5004ddd2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\VCRUNTIME140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\VCRUNTIME140_1.dll

Filesize
35KB

MD5
ab03551e4ef279abed2d8c4b25f35bb8

SHA1
09bc7e4e1a8d79ee23c0c9c26b1ea39de12a550e

SHA256
f8bc270449ca6bb6345e88be3632d465c0a7595197c7954357dc5066ed50ae44

SHA512
0e7533b8d7e5019ffd1e73937c1627213711725e88c6d7321588f7fffe9e1b4ef5c38311548adbd2c0ee9b407135646593bf1498cbee92275f4e0a22ace78909

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_bz2.pyd

Filesize
84KB

MD5
499462206034b6ab7d18cc208a5b67e3

SHA1
1cd350a9f5d048d337475e66dcc0b9fab6aebf78

SHA256
6c2bbed242c399c4bc9b33268afe538cf1dea494c75c8d0db786030a0dcc4b7e

SHA512
17a1191f1d5ca00562b80eff2363b22869f7606a2a17f2f0b361d9b36b6e88cb43814255a5bac49d044ea7046b872bac63bd524f9442c9839ab80a54d96f1e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_ctypes.pyd

Filesize
123KB

MD5
b74f6285a790ffd7e9ec26e3ab4ca8df

SHA1
7e023c1e4f12e8e577e46da756657fd2db80b5e8

SHA256
c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a

SHA512
3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_decimal.pyd

Filesize
265KB

MD5
56302e90bc4fb799e094987f4556fc0f

SHA1
3ddb8b77676545905aadef5ba73583c4b904824b

SHA256
17f43bf9552fcf8194f4b32909beffa4238b76866f7dd50f4b70de799362f66c

SHA512
af962aeef8052f5a90855ce0fd6c99862a8a72f649331896737d57d67ccd400f92aec12f5ab958fb08ff101b606a82fe0cd307287616297a37e4532fa5fe657b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_hashlib.pyd

Filesize
64KB

MD5
60f420a9a606e2c95168d25d2c1ac12e

SHA1
1e77cf7de26ed75208d31751fe61da5eddbbaf12

SHA256
8aa7abe0a92a89adf821e4eb783ad254a19858e62d99f80eb5872d81e8b3541c

SHA512
aaf768176cf034004a6d13370b11f0e4bbf86b9b76de7fa06d0939e98915607d504e076ad8adb1a0ebfb6fd021c51764a772f8af6af7f6d15b0d376448aba1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_lzma.pyd

Filesize
158KB

MD5
bc118fb4e14de484452bb1be413c082a

SHA1
25d09b7fbc2452457bcf7025c3498947bc96c2d1

SHA256
ac0ceb8e6b5e67525b136b5ce97500fe4f152061b1bf2783f127eff557b248a3

SHA512
68a24d137b8641cd474180971142511d8708738096d865a73fb928315dd9edf46c4ebf97d596f4a9e207ec81828e5db7e90c7b8b00d5f416737ba8bffc2887bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\_socket.pyd

Filesize
78KB

MD5
0df2287791c20a764e6641029a882f09

SHA1
8a0aeb4b4d8410d837469339244997c745c9640c

SHA256
09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869

SHA512
60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\base_library.zip

Filesize
822KB

MD5
a214b7cd2080107cff68c7d3463e3bc5

SHA1
3481467445973f0c83e8d3533f08f7453954e256

SHA256
b9aac6987f54f052900ec5bf8149b229bea97ddac151df0cc0390d747c5b5c31

SHA512
466f4da193f9747e17db02c48d2b6a67b9f6a107a45884daf179425394d3ab2436989d1bcd4fc4adea4bf75c81919bbf738b455b9befc1cefd69c00efb673d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\libcrypto-1_1.dll

Filesize
547KB

MD5
3176c95461185c7c0772a5eaaa74904c

SHA1
2bdeab7f4a54bcc79d83ca18772e17318b34f873

SHA256
d5396479f2cf5c72d0bc881a0dcf2cbba0ca82d122e883182da983b820ee4b05

SHA512
1875c901215b09af40e81fc6176629b08c06475ce10be85aaf63519f1c2530906b81050bf06aa0510b96e6c1c90f43acbcef5248060696cc8570ccfa462bb7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\python39.dll

Filesize
2.1MB

MD5
485635ce2d0460a492832d6c8239a494

SHA1
e74a14b49a9610cc0f96a44e3104dbc17e8ee7be

SHA256
d9e893a1fe0c0393b9cb044f1d010f792a8714aa6a824c86257db1d977c50f52

SHA512
923a1c327b95297d367293a210b979f14e0b5869c3426de54be4a979c12eac430c51a8512b9b8543e38baffe5dd31c9dba9092b51135138522dd0f372d21957d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\python39.dll

Filesize
1.0MB

MD5
04ff68b8bf5c8d6699f1d35bb644ddcd

SHA1
50b7fec5051459ad9ec904bf5d6013f6b5aeb158

SHA256
144db718aa2bbcefa18825f75a282d7b82c59a89272b96c4234f9dea708851a7

SHA512
8ced9a410f2c3331e785c28f5a9de21adab6767ef1e9cad3e4f7f369542ce597e6b0f8022abcc21f9df61ce896ee0a0de5e491d3334809addfa0fff94b806bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\pywin32_system32\pythoncom39.dll

Filesize
654KB

MD5
8d4cd39cf6b1e5d3743ac1bcdcab4f12

SHA1
2ecfd93164920a60c273b1d000df14351816dbd7

SHA256
0789f9321abfa3a6403a483cb3ba684da5cfc39d26195fce8669a77c6367c413

SHA512
7734d61b7b2c5f829d05488b26d958b85d0cf87776b91e8a63b58debf5d32db42bc2d203cc5a27ab426672c282bf95b41b8429ee3ea1f0e0d9ca55f9f68e77bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\pywin32_system32\pywintypes39.dll

Filesize
131KB

MD5
f20fd2e2ac9058a9fd227172f8ff2c12

SHA1
89eba891352be46581b94a17db7c2ede9a39ab01

SHA256
20bde8e50e42f7aabf59106eea238fcc0dece0c6e362c0a7feeb004ab981db8a

SHA512
42a86fa192aea7adb4283dc48a323a4f687dad40060ea3ffddcd8fd7670bb535d31a7764706e5c5473da28399fec048ae714a111ee238bb25e1aad03e12078d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\select.pyd

Filesize
27KB

MD5
a2a4cf664570944ccc691acf47076eeb

SHA1
918a953817fff228dbd0bdf784ed6510314f4dd9

SHA256
b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434

SHA512
d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\unicodedata.pyd

Filesize
576KB

MD5
65899a5826778282673a7701fba232e9

SHA1
ad0c8f9b36bb751214191e4b1665a46c2231907e

SHA256
f08a4a81c91568cb41c731b93c8e0003f68dd6dd74f512238c2e13b967be648e

SHA512
11ef3c2ecaa0a39355938d2978989d021f45b5a2c03926ab027226cb77c8291d6b483fbb0d2df99474e9e21cc700b89550584ff941a312d2c196aa2a9587f83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30042\win32\win32api.pyd

Filesize
130KB

MD5
05e4b3b876e5fa6a2b8951f764559623

SHA1
4ad50f70eef4feaa9d051c2f161fbac8a862a4bc

SHA256
a52f8bd28b5b9558cde10333ce452a7d6f338ce1005a2b8451755005868e4a98

SHA512
5648306af7c056c9250731b7d5a508664294bbb8ba865f9dc06fd7216adf7b8cc31b1cfbc0175c7f2752680744f6546a1959e7f7d1ec7a8a845f75642ce034d9

Download Submit
memory/1116-79-0x000002D662250000-0x000002D662268000-memory.dmp

Filesize
96KB

Download
memory/1116-80-0x000002D67C970000-0x000002D67CB32000-memory.dmp

Filesize
1.8MB

Download
memory/1116-82-0x00007FFF89050000-0x00007FFF89B12000-memory.dmp

Filesize
10.8MB

Download
memory/1116-83-0x000002D67C830000-0x000002D67C840000-memory.dmp

Filesize
64KB

Download
memory/1812-84-0x0000021E184E0000-0x0000021E184F0000-memory.dmp

Filesize
64KB

Download
memory/1812-85-0x00007FFF89050000-0x00007FFF89B12000-memory.dmp

Filesize
10.8MB

Download
memory/1812-86-0x0000021E32120000-0x0000021E32648000-memory.dmp

Filesize
5.2MB

Download