discordrat | b1f32da53c09893e50094325682f61d0b6e662ab7d1df628dd5167d25b7a7c67

General

Target

Z1ON Dot Net Obfuscator v2.exe
Size

833KB
MD5

583db42843ecdb4f5ba790beb43572a4
SHA1

a55fc37ba004e327fd9444489ac19789bfe267c5
SHA256

b1f32da53c09893e50094325682f61d0b6e662ab7d1df628dd5167d25b7a7c67
SHA512

98dd5a4b63c6e69d084fbf31a5e48a61050be94f8e8613048fcd056cb1960deeed565c891066d6e9b4114166335a6ecfe5cfdc746955dfa589f89db14df82faa
SSDEEP

12288:HCwqF4Ef4tYimS7hD/4onsU9hCqdTsGyFdfJ:iB4m4tcuD/4osU9hCWsDb

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMzkyOTAxNDQ4MjQzNjE2Nw.G9M0hN.nD-_EEbklL8mO6w0EeRslibB6lcsoMD5XbbFRo
server_id
1209523015184818257

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Z1ON Dot Net Obfuscator v2.exe

Executes dropped EXE 2 IoCs

pid	Process
3744	Client-built.exe
3972	Z1ON Dot Net Obfuscator.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
30	discord.com
32	discord.com
40	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	3972	WerFault.exe	93

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3744	Client-built.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3744	2664	Z1ON Dot Net Obfuscator v2.exe	92
PID 2664 wrote to memory of 3744	2664	Z1ON Dot Net Obfuscator v2.exe	92
PID 2664 wrote to memory of 3972	2664	Z1ON Dot Net Obfuscator v2.exe	93
PID 2664 wrote to memory of 3972	2664	Z1ON Dot Net Obfuscator v2.exe	93
PID 2664 wrote to memory of 3972	2664	Z1ON Dot Net Obfuscator v2.exe	93

C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe
"C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator v2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe
  "C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe"
  2⤵
  - Executes dropped EXE
  PID:3972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1060
    3⤵
    - Program crash
    PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3972 -ip 3972
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
cc9f95bc616eaa9f2e7b6318eac6ef60

SHA1
60f6705dad7f26f6284006f29f7fb64b9075fed1

SHA256
e9157690a3c1cab1d44afaabbdceb26679f5a02202f185ad854f6264a23a7c31

SHA512
abf98ac5e492d56808b10111c9663a59251c0a0c61396b6d49307bce3357e6585c0da7f20f78707846f18af1fa5bccb4d9d91b4778140b583ae64462d770f668

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z1ON Dot Net Obfuscator.exe

Filesize
1023KB

MD5
c7fa9a7d9b0d2cdb6742477158b190f8

SHA1
44258c848294d209c6504640f9c785241485fc28

SHA256
08aa03c784c192aa76acc4da4f79eca7a86e769e405e33c4bff9b0246989af74

SHA512
2f0b2af4400a16abf365fcc122ae92e6a6ebcd0aa5ce77a7601e27f219dd03132eb47ad9a84916028e3dd0eb228000652ad8f3059f6e717fa22c4049c9ec5540

Download Submit
memory/2664-29-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2664-1-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2664-2-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

Filesize
64KB

Download
memory/2664-0-0x00000000005A0000-0x0000000000676000-memory.dmp

Filesize
856KB

Download
memory/3744-32-0x000002237F920000-0x000002237F930000-memory.dmp

Filesize
64KB

Download
memory/3744-28-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

Filesize
10.8MB

Download
memory/3744-26-0x000002237F940000-0x000002237FB02000-memory.dmp

Filesize
1.8MB

Download
memory/3744-40-0x000002237F920000-0x000002237F930000-memory.dmp

Filesize
64KB

Download
memory/3744-17-0x00000223652B0000-0x00000223652C8000-memory.dmp

Filesize
96KB

Download
memory/3744-39-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

Filesize
10.8MB

Download
memory/3744-36-0x0000022300530000-0x0000022300A58000-memory.dmp

Filesize
5.2MB

Download
memory/3972-35-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/3972-34-0x0000000006010000-0x00000000065B4000-memory.dmp

Filesize
5.6MB

Download
memory/3972-33-0x0000000005980000-0x0000000005A5C000-memory.dmp

Filesize
880KB

Download
memory/3972-37-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

Filesize
40KB

Download
memory/3972-38-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3972-30-0x0000000000F40000-0x0000000001044000-memory.dmp

Filesize
1.0MB

Download
memory/3972-31-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing