discordrat | 9f7154d3786a9f445d249454777da82ebca55681b0fdbe54f1695ce31a30543f

Analysis

max time kernel
569s
max time network
606s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

s‮gpj.exe
Size

563KB
MD5

0bbc0a7dc1a58f8a33fbd893ec737bc2
SHA1

6cc449fffcf0111d62ff0475afb30eef7d774089
SHA256

9f7154d3786a9f445d249454777da82ebca55681b0fdbe54f1695ce31a30543f
SHA512

d6a4cb34a70180951925d5414c1a563a37a5a6d5c92b6fc8c741711637ebd1af60a0e375e00334599f322226a084641f099042b524f7152c720f8a2e7ee14445
SSDEEP

12288:oCQjgAtAHM+vetZxF5EWry8AJGy0yfnSWv46NuV9TXH2505/N:o5ZWs+OZVEWry8AFBTjNufH2kV

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyOTg4MjMyNDM2ODM2MzcwMA.GrfReS.9yWuSoWr3uhKK0b6qurk33JdihJVamaZgss9Yg
server_id
1229880755757514752

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	s‮gpj.exe

Executes dropped EXE 1 IoCs

pid	Process
3240	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
30	discord.com
36	discord.com
50	discord.com
52	discord.com
29	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	Client-built.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3240	Client-built.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 3240	3640	s‮gpj.exe	91
PID 3640 wrote to memory of 3240	3640	s‮gpj.exe	91

C:\Users\Admin\AppData\Local\Temp\s‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\s‮gpj.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
9c9b36aa4fbe85b60277dd6ea9caf0e1

SHA1
d037380d780a0165d02bdd51f3eb741519944a64

SHA256
42b7cc111a1773cec2eb5c5e97e9d03cf3d32cbff97dc1f8027ed65955d63c47

SHA512
a7d1d4d1f27407dcd49aaf111f84005534031cd4b705d2bc14a5594787af915410a82f41193072cddceeefd209997a24e379d970d94c8ff07bc5f950183884d6

Download Submit
memory/3240-14-0x000001FDDD090000-0x000001FDDD0A8000-memory.dmp

Filesize
96KB

Download
memory/3240-15-0x000001FDF7650000-0x000001FDF7812000-memory.dmp

Filesize
1.8MB

Download
memory/3240-16-0x00007FFFDAE50000-0x00007FFFDB911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-17-0x000001FDDD490000-0x000001FDDD4A0000-memory.dmp

Filesize
64KB

Download
memory/3240-18-0x000001FDF7E50000-0x000001FDF8378000-memory.dmp

Filesize
5.2MB

Download
memory/3240-19-0x00007FFFDAE50000-0x00007FFFDB911000-memory.dmp

Filesize
10.8MB

Download
memory/3240-20-0x000001FDDD490000-0x000001FDDD4A0000-memory.dmp

Filesize
64KB

Download