discordrat | 8cd446387f47cd667943aba6e1e636c36fe07fb2dbc0990201fb3552ca8077e4

Resubmissions

19/03/2024, 16:53

240319-vd25pagh87 10

19/03/2024, 16:51

240319-vcxhtagh56 10

Analysis

max time kernel
48s
max time network
49s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

silence/silence-workspace.exe
Size

1.7MB
MD5

839a13e8b65aab0cb6d061ac82a8e3d4
SHA1

3de9d9d68c94493867bcb081d093bf39d45bf923
SHA256

a8741e78c8b8b86042814e65b5a7ab358f1050757de3738a0d358097db996bd3
SHA512

ea2ded5b24dc88af32673957a7cc85c5b602fec5731c4af4d3cb9859009f0af6d2b9b629253090d23715af3b8030fc5727612f92a5339e08748fad5694eff2bc
SSDEEP

49152:O0xx0GTBlPBAc2AVMlsHbeucMYc5pSoUiGG8:OWTkcH3Hyo

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwODA5NTM2NDk2MDM1NDM3NA.GizXN5._a-pu5nHBPQiBTo-MibYQvf7mDtkutfsttwhUo
server_id
1208095629734322196

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 2 IoCs

pid	Process
2028	CLIENT-BUILT.EXE
3048	SILENCE-WORKSPACE.EXE

Loads dropped DLL 7 IoCs

pid	Process
2740	silence-workspace.exe
2740	silence-workspace.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2512	timeout.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2028	2740	silence-workspace.exe	28
PID 2740 wrote to memory of 2028	2740	silence-workspace.exe	28
PID 2740 wrote to memory of 2028	2740	silence-workspace.exe	28
PID 2740 wrote to memory of 2028	2740	silence-workspace.exe	28
PID 2740 wrote to memory of 3048	2740	silence-workspace.exe	29
PID 2740 wrote to memory of 3048	2740	silence-workspace.exe	29
PID 2740 wrote to memory of 3048	2740	silence-workspace.exe	29
PID 2740 wrote to memory of 3048	2740	silence-workspace.exe	29
PID 3048 wrote to memory of 1988	3048	SILENCE-WORKSPACE.EXE	31
PID 3048 wrote to memory of 1988	3048	SILENCE-WORKSPACE.EXE	31
PID 3048 wrote to memory of 1988	3048	SILENCE-WORKSPACE.EXE	31
PID 1988 wrote to memory of 2580	1988	cmd.exe	32
PID 1988 wrote to memory of 2580	1988	cmd.exe	32
PID 1988 wrote to memory of 2580	1988	cmd.exe	32
PID 1988 wrote to memory of 2568	1988	cmd.exe	33
PID 1988 wrote to memory of 2568	1988	cmd.exe	33
PID 1988 wrote to memory of 2568	1988	cmd.exe	33
PID 1988 wrote to memory of 2640	1988	cmd.exe	34
PID 1988 wrote to memory of 2640	1988	cmd.exe	34
PID 1988 wrote to memory of 2640	1988	cmd.exe	34
PID 2028 wrote to memory of 2592	2028	CLIENT-BUILT.EXE	35
PID 2028 wrote to memory of 2592	2028	CLIENT-BUILT.EXE	35
PID 2028 wrote to memory of 2592	2028	CLIENT-BUILT.EXE	35
PID 3048 wrote to memory of 2612	3048	SILENCE-WORKSPACE.EXE	36
PID 3048 wrote to memory of 2612	3048	SILENCE-WORKSPACE.EXE	36
PID 3048 wrote to memory of 2612	3048	SILENCE-WORKSPACE.EXE	36
PID 2612 wrote to memory of 2444	2612	cmd.exe	37
PID 2612 wrote to memory of 2444	2612	cmd.exe	37
PID 2612 wrote to memory of 2444	2612	cmd.exe	37
PID 3048 wrote to memory of 2452	3048	SILENCE-WORKSPACE.EXE	38
PID 3048 wrote to memory of 2452	3048	SILENCE-WORKSPACE.EXE	38
PID 3048 wrote to memory of 2452	3048	SILENCE-WORKSPACE.EXE	38
PID 2444 wrote to memory of 2512	2444	cmd.exe	40
PID 2444 wrote to memory of 2512	2444	cmd.exe	40
PID 2444 wrote to memory of 2512	2444	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe
"C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2028 -s 596
    3⤵
    - Loads dropped DLL
    PID:2592
- C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
  "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5
      4⤵
      PID:2580
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2568
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\cmd.exe
      cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2512
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3048 -s 272
    3⤵
    PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE

Filesize
78KB

MD5
6f9c42f940f854243a2f445c8cb750ec

SHA1
aeed75218753dd1f184cc55ebbe8a1a80e5a59f3

SHA256
15fbe5942c60d92081fa93d5444a7abb355dc917c9ea3a44585d5a4b4219e91a

SHA512
612bfac0a8a079a67e361e87ac6eaf9c9cc5a4940b5dd74ecb6c61e2811707b2e60e60ee70102622c0bb222b01a3aced82853d130d2f07075e8d629e33bb8cb2

Download Submit
\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE

Filesize
1.6MB

MD5
8b393057c5c9026495f8efbe7234b1c4

SHA1
21aff93ce1ff29a961ac947cafd75b6994fb5ae8

SHA256
c100648181026be6dbce91beb36b5cd859563c4b0edd8e4a0aa5d60829467b30

SHA512
57504769cff622817a129f4b0d235d2f148a381d588950949f0b0316c71aef46e3d0d17747a50a81a946e73af486962d52f23160fe937c1d6caf8db4b1996952

Download Submit
memory/2028-11-0x000000013FA90000-0x000000013FAA8000-memory.dmp

Filesize
96KB

Download
memory/2028-13-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-14-0x000000001B9F0000-0x000000001BA70000-memory.dmp

Filesize
512KB

Download
memory/2028-20-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-21-0x000000001B9F0000-0x000000001BA70000-memory.dmp

Filesize
512KB

Download
memory/2028-22-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download