discordrat | 8cd446387f47cd667943aba6e1e636c36fe07fb2dbc0990201fb3552ca8077e4

Resubmissions

19/03/2024, 16:46

240319-t968vagg74 10

19/03/2024, 16:44

240319-t811fahe2x 10

19/03/2024, 16:41

240319-t68x9sgf77 10

Analysis

max time kernel
53s
max time network
70s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

silence/silence-workspace.exe
Size

1.7MB
MD5

839a13e8b65aab0cb6d061ac82a8e3d4
SHA1

3de9d9d68c94493867bcb081d093bf39d45bf923
SHA256

a8741e78c8b8b86042814e65b5a7ab358f1050757de3738a0d358097db996bd3
SHA512

ea2ded5b24dc88af32673957a7cc85c5b602fec5731c4af4d3cb9859009f0af6d2b9b629253090d23715af3b8030fc5727612f92a5339e08748fad5694eff2bc
SSDEEP

49152:O0xx0GTBlPBAc2AVMlsHbeucMYc5pSoUiGG8:OWTkcH3Hyo

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwODA5NTM2NDk2MDM1NDM3NA.GizXN5._a-pu5nHBPQiBTo-MibYQvf7mDtkutfsttwhUo
server_id
1208095629734322196

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 2 IoCs

pid	Process
2600	CLIENT-BUILT.EXE
2956	SILENCE-WORKSPACE.EXE

Loads dropped DLL 7 IoCs

pid	Process
2472	silence-workspace.exe
2472	silence-workspace.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2600	2472	silence-workspace.exe	27
PID 2472 wrote to memory of 2600	2472	silence-workspace.exe	27
PID 2472 wrote to memory of 2600	2472	silence-workspace.exe	27
PID 2472 wrote to memory of 2600	2472	silence-workspace.exe	27
PID 2472 wrote to memory of 2956	2472	silence-workspace.exe	28
PID 2472 wrote to memory of 2956	2472	silence-workspace.exe	28
PID 2472 wrote to memory of 2956	2472	silence-workspace.exe	28
PID 2472 wrote to memory of 2956	2472	silence-workspace.exe	28
PID 2956 wrote to memory of 2612	2956	SILENCE-WORKSPACE.EXE	30
PID 2956 wrote to memory of 2612	2956	SILENCE-WORKSPACE.EXE	30
PID 2956 wrote to memory of 2612	2956	SILENCE-WORKSPACE.EXE	30
PID 2612 wrote to memory of 2628	2612	cmd.exe	31
PID 2612 wrote to memory of 2628	2612	cmd.exe	31
PID 2612 wrote to memory of 2628	2612	cmd.exe	31
PID 2612 wrote to memory of 2576	2612	cmd.exe	32
PID 2612 wrote to memory of 2576	2612	cmd.exe	32
PID 2612 wrote to memory of 2576	2612	cmd.exe	32
PID 2612 wrote to memory of 2548	2612	cmd.exe	33
PID 2612 wrote to memory of 2548	2612	cmd.exe	33
PID 2612 wrote to memory of 2548	2612	cmd.exe	33
PID 2600 wrote to memory of 2644	2600	CLIENT-BUILT.EXE	34
PID 2600 wrote to memory of 2644	2600	CLIENT-BUILT.EXE	34
PID 2600 wrote to memory of 2644	2600	CLIENT-BUILT.EXE	34

C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe
"C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2600 -s 600
    3⤵
    - Loads dropped DLL
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
  "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5
      4⤵
      PID:2628
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2576
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE

Filesize
933KB

MD5
93c283ea752d04bf8567bf031ad4230e

SHA1
5660e77c6bda05121fc2b235f059ed2a337514bb

SHA256
0474007452bfe2d5f999fd9710b67015202aa15bce6b7ac9a8f9ed155f1d3177

SHA512
4c76cf90cfb2aac6a508e589059a1263fadc3c14176a18d61ec671dac2de9e20a493cb72e416fc45825bfeb32e57faf46592505023145294aa93a239696412d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE

Filesize
1.6MB

MD5
8b393057c5c9026495f8efbe7234b1c4

SHA1
21aff93ce1ff29a961ac947cafd75b6994fb5ae8

SHA256
c100648181026be6dbce91beb36b5cd859563c4b0edd8e4a0aa5d60829467b30

SHA512
57504769cff622817a129f4b0d235d2f148a381d588950949f0b0316c71aef46e3d0d17747a50a81a946e73af486962d52f23160fe937c1d6caf8db4b1996952

Download Submit
\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE

Filesize
78KB

MD5
6f9c42f940f854243a2f445c8cb750ec

SHA1
aeed75218753dd1f184cc55ebbe8a1a80e5a59f3

SHA256
15fbe5942c60d92081fa93d5444a7abb355dc917c9ea3a44585d5a4b4219e91a

SHA512
612bfac0a8a079a67e361e87ac6eaf9c9cc5a4940b5dd74ecb6c61e2811707b2e60e60ee70102622c0bb222b01a3aced82853d130d2f07075e8d629e33bb8cb2

Download Submit
\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE

Filesize
960KB

MD5
4415787ce0954600e25353463d43a5ef

SHA1
026bd5e1c5d085cd00c31c011f143687623e956c

SHA256
4adb9d1908673491d9dd2025c74db94ab0973c4fa450dfae06ff1b47e3ae9342

SHA512
beae33ffe9075da8f2317f6d8d204e0b8f2babcbc1309b67e1ec9f969da8513167039ce783b47fca4366da89373cf78945e93833afb95e54fb8694bd1a380044

Download Submit
memory/2600-12-0x000000013F9B0000-0x000000013F9C8000-memory.dmp

Filesize
96KB

Download
memory/2600-13-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-14-0x00000000005C0000-0x0000000000640000-memory.dmp

Filesize
512KB

Download
memory/2600-20-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-21-0x00000000005C0000-0x0000000000640000-memory.dmp

Filesize
512KB

Download