Malware Analysis Report

2024-11-16 13:06

Sample ID 240323-2yb8bsgc3t
Target qr.scr.exe
SHA256 41bfb9975a07c647313b8211c9096fd42c379ef1ab8aa55cf8754903636d57cd
Tags
discordrat persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41bfb9975a07c647313b8211c9096fd42c379ef1ab8aa55cf8754903636d57cd

Threat Level: Known bad

The file qr.scr.exe was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer

Discord RAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 22:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 22:58

Reported

2024-03-23 23:01

Platform

win7-20240319-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\qr.scr.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\qr.scr.exe

"C:\Users\Admin\AppData\Local\Temp\qr.scr.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2560 -s 596

Network

N/A

Files

memory/2168-4-0x0000000002380000-0x0000000002382000-memory.dmp

memory/2136-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/2136-6-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe

MD5 f8c5bb2e9929c86865c291de2b71ae6e
SHA1 fdf6e43b696308f60f13e3b96d0482d3634992b6
SHA256 271ed5f4d469576ac832f8b8f6734168a986619f3f0aebb1747efe583381ead2
SHA512 c46dfb27428ac80bec7cd09d82aa65c59e343a73849965149275459fd5ee113c21d3bb744d41c1a93725e8ced8b22270891db055376a00136a59686365393fa4

memory/2560-13-0x000000013F2F0000-0x000000013F340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.ico

MD5 f7b79586fa0fd87f757302e947b07550
SHA1 75dc2e743ae79b2ee0350cd8086974eda23b3e17
SHA256 0bc6f95b9438ef6a557beb35cd48d77bde265751db2a06273ae71b3ad008798f
SHA512 ab56dd548d53ee77ccc30ab38e34f3d717ece5953a90334af819a818b573d5a1bfcf58fb661bd2883784ef8be05408edd1e8a1c1cd135d71dd05862f44af3dda

memory/2560-15-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

memory/2560-16-0x0000000000870000-0x00000000008F0000-memory.dmp

memory/2560-22-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

memory/2136-23-0x00000000001C0000-0x00000000001C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 22:58

Reported

2024-03-23 23:00

Platform

win10v2004-20240226-en

Max time kernel

49s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\qr.scr.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qr.scr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\qr.scr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe
PID 3100 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\qr.scr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\qr.scr.exe

"C:\Users\Admin\AppData\Local\Temp\qr.scr.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.135.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 234.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qr.exe

MD5 f8c5bb2e9929c86865c291de2b71ae6e
SHA1 fdf6e43b696308f60f13e3b96d0482d3634992b6
SHA256 271ed5f4d469576ac832f8b8f6734168a986619f3f0aebb1747efe583381ead2
SHA512 c46dfb27428ac80bec7cd09d82aa65c59e343a73849965149275459fd5ee113c21d3bb744d41c1a93725e8ced8b22270891db055376a00136a59686365393fa4

memory/4052-14-0x000001FA24A10000-0x000001FA24A60000-memory.dmp

memory/4052-15-0x000001FA3F030000-0x000001FA3F1F2000-memory.dmp

memory/4052-16-0x00007FF86FA10000-0x00007FF8704D1000-memory.dmp

memory/4052-17-0x000001FA3EF40000-0x000001FA3EF50000-memory.dmp

memory/4052-18-0x000001FA3FA80000-0x000001FA3FFA8000-memory.dmp

memory/4052-19-0x000001FA3F200000-0x000001FA3F302000-memory.dmp

memory/4052-20-0x00007FF86FA10000-0x00007FF8704D1000-memory.dmp

memory/4052-22-0x000001FA3EF40000-0x000001FA3EF50000-memory.dmp