discordrat | 058e59d9eb0acb68e14ee666d6bb52d1625c220cc50f5b64c61fdb53b830b4b7

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rohack.exe
Size

444KB
MD5

56b90460dae9476c5e3866167df77461
SHA1

e1d63755763329805db3a94b6c43f7cba7fbf251
SHA256

058e59d9eb0acb68e14ee666d6bb52d1625c220cc50f5b64c61fdb53b830b4b7
SHA512

8efbd604eb75a4e3f1831edcadac912cd2c61b16e996a5556a02e009f6ad459db85b57b29c08fe41865828f2d166d130e8dd36be33994e98ae6d5cb0cefa6ca0
SSDEEP

6144:iTouKrWBEu3/Z2lpGDHU3ykJrS0JjYf3S0JjYfcS5yDUL/h0O4t6K2mJS8I2I:iToPWBv/cpGrU3yAktkbLh0O62WA

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxNjIwNjc5NTQzMzk2NzYzNg.GohbVW.iPpB9q0RJ1G0dFKyz8lbDtS0ZkC3QiVtMrd0UE
server_id
1216207348918521936

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2420	Rohack.exe

Loads dropped DLL 6 IoCs

pid	Process
2036	Rohack.exe
2436	WerFault.exe
2436	WerFault.exe
2436	WerFault.exe
2436	WerFault.exe
2436	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2544	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2420	2036	Rohack.exe	29
PID 2036 wrote to memory of 2420	2036	Rohack.exe	29
PID 2036 wrote to memory of 2420	2036	Rohack.exe	29
PID 2036 wrote to memory of 2420	2036	Rohack.exe	29
PID 2420 wrote to memory of 2436	2420	Rohack.exe	30
PID 2420 wrote to memory of 2436	2420	Rohack.exe	30
PID 2420 wrote to memory of 2436	2420	Rohack.exe	30

C:\Users\Admin\AppData\Local\Temp\Rohack.exe
"C:\Users\Admin\AppData\Local\Temp\Rohack.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rohack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rohack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2420 -s 600
    3⤵
    - Loads dropped DLL
    PID:2436

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rohack.png

Filesize
50KB

MD5
01ac07b3303fd5fa18075c2c19e1857a

SHA1
bbabaad816d675103ae3d7607a25afebf983c328

SHA256
b594c3ddbb7f8eec6e31a0c393e0d9d39802602dc470b06cc5d5f1f4944faf05

SHA512
050a6e6efd42b18f42a44a81fc64ba729701efa6793b2788dfb72cb37ebee38a2fcd7d4eb74859397e510f7b993970e05423a2fc7f166da968f686d4e7745c5d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Rohack.exe

Filesize
78KB

MD5
05becbc64dae1288d749fcaeda91a9b9

SHA1
925a9b5b338f90da1fc466b0b2879b0034dc7b22

SHA256
d07479b8ba198500e01386ec2e5c6ef7deabf0b9617ff87a8dc050b1a73c9f21

SHA512
a0e5da64f52ef0becb9af8f65480f71df1b82ca840eff0e81e0e21df57a7a244570a3b81f78b86e69a332542c29048fd70d126807791d315fed777ccb5ef0835

Download Submit
memory/2036-4-0x0000000000F20000-0x0000000000F22000-memory.dmp

Filesize
8KB

Download
memory/2420-13-0x000000013F2B0000-0x000000013F2C8000-memory.dmp

Filesize
96KB

Download
memory/2420-14-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-16-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/2544-5-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2544-7-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download