Malware Analysis Report

2024-11-16 13:06

Sample ID 240319-vcxhtagh56
Target silence.rar
SHA256 8cd446387f47cd667943aba6e1e636c36fe07fb2dbc0990201fb3552ca8077e4
Tags
discordrat persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8cd446387f47cd667943aba6e1e636c36fe07fb2dbc0990201fb3552ca8077e4

Threat Level: Known bad

The file silence.rar was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer

Discordrat family

Discord RAT

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-19 16:51

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-19 16:51

Reported

2024-03-19 16:53

Platform

win7-20240221-en

Max time kernel

48s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
PID 2740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
PID 2740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
PID 2740 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
PID 2740 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
PID 2740 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
PID 2740 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
PID 2740 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE
PID 3048 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE C:\Windows\system32\cmd.exe
PID 1988 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1988 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1988 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1988 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1988 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1988 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1988 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1988 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1988 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2028 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE C:\Windows\system32\WerFault.exe
PID 2028 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE C:\Windows\system32\WerFault.exe
PID 2028 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE C:\Windows\system32\WerFault.exe
PID 3048 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE C:\Windows\system32\WerFault.exe
PID 3048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE C:\Windows\system32\WerFault.exe
PID 3048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE C:\Windows\system32\WerFault.exe
PID 2444 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2444 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2444 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe

"C:\Users\Admin\AppData\Local\Temp\silence\silence-workspace.exe"

C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE

"C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"

C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE

"C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2028 -s 596

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"

C:\Windows\system32\cmd.exe

cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3048 -s 272

C:\Windows\system32\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
N/A 127.0.0.1:49203 tcp
N/A 127.0.0.1:49205 tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp

Files

\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE

MD5 6f9c42f940f854243a2f445c8cb750ec
SHA1 aeed75218753dd1f184cc55ebbe8a1a80e5a59f3
SHA256 15fbe5942c60d92081fa93d5444a7abb355dc917c9ea3a44585d5a4b4219e91a
SHA512 612bfac0a8a079a67e361e87ac6eaf9c9cc5a4940b5dd74ecb6c61e2811707b2e60e60ee70102622c0bb222b01a3aced82853d130d2f07075e8d629e33bb8cb2

\Users\Admin\AppData\Local\Temp\SILENCE-WORKSPACE.EXE

MD5 8b393057c5c9026495f8efbe7234b1c4
SHA1 21aff93ce1ff29a961ac947cafd75b6994fb5ae8
SHA256 c100648181026be6dbce91beb36b5cd859563c4b0edd8e4a0aa5d60829467b30
SHA512 57504769cff622817a129f4b0d235d2f148a381d588950949f0b0316c71aef46e3d0d17747a50a81a946e73af486962d52f23160fe937c1d6caf8db4b1996952

memory/2028-11-0x000000013FA90000-0x000000013FAA8000-memory.dmp

memory/2028-13-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/2028-14-0x000000001B9F0000-0x000000001BA70000-memory.dmp

memory/2028-20-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/2028-21-0x000000001B9F0000-0x000000001BA70000-memory.dmp

memory/2028-22-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp