discordrat | 9f7154d3786a9f445d249454777da82ebca55681b0fdbe54f1695ce31a30543f

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

s‮gpj.exe
Size

563KB
MD5

0bbc0a7dc1a58f8a33fbd893ec737bc2
SHA1

6cc449fffcf0111d62ff0475afb30eef7d774089
SHA256

9f7154d3786a9f445d249454777da82ebca55681b0fdbe54f1695ce31a30543f
SHA512

d6a4cb34a70180951925d5414c1a563a37a5a6d5c92b6fc8c741711637ebd1af60a0e375e00334599f322226a084641f099042b524f7152c720f8a2e7ee14445
SSDEEP

12288:oCQjgAtAHM+vetZxF5EWry8AJGy0yfnSWv46NuV9TXH2505/N:o5ZWs+OZVEWry8AFBTjNufH2kV

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyOTg4MjMyNDM2ODM2MzcwMA.GrfReS.9yWuSoWr3uhKK0b6qurk33JdihJVamaZgss9Yg
server_id
1229880755757514752

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	s‮gpj.exe

Executes dropped EXE 1 IoCs

pid	Process
4952	Client-built.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
70	discord.com
67	raw.githubusercontent.com
68	raw.githubusercontent.com
69	discord.com
65	discord.com
66	discord.com
35	discord.com
36	discord.com
39	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	Client-built.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 4952	932	s‮gpj.exe	92
PID 932 wrote to memory of 4952	932	s‮gpj.exe	92
PID 4952 wrote to memory of 4132	4952	Client-built.exe	97
PID 4952 wrote to memory of 4132	4952	Client-built.exe	97

C:\Users\Admin\AppData\Local\Temp\s‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\s‮gpj.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C kill
    3⤵
    PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
9c9b36aa4fbe85b60277dd6ea9caf0e1

SHA1
d037380d780a0165d02bdd51f3eb741519944a64

SHA256
42b7cc111a1773cec2eb5c5e97e9d03cf3d32cbff97dc1f8027ed65955d63c47

SHA512
a7d1d4d1f27407dcd49aaf111f84005534031cd4b705d2bc14a5594787af915410a82f41193072cddceeefd209997a24e379d970d94c8ff07bc5f950183884d6

Download Submit
memory/4952-14-0x000001E1B4590000-0x000001E1B45A8000-memory.dmp

Filesize
96KB

Download
memory/4952-15-0x000001E1CEC70000-0x000001E1CEE32000-memory.dmp

Filesize
1.8MB

Download
memory/4952-16-0x00007FFABCE70000-0x00007FFABD931000-memory.dmp

Filesize
10.8MB

Download
memory/4952-17-0x000001E1B4A20000-0x000001E1B4A30000-memory.dmp

Filesize
64KB

Download
memory/4952-18-0x000001E1CF470000-0x000001E1CF998000-memory.dmp

Filesize
5.2MB

Download
memory/4952-19-0x00007FFABCE70000-0x00007FFABD931000-memory.dmp

Filesize
10.8MB

Download
memory/4952-20-0x000001E1B4A20000-0x000001E1B4A30000-memory.dmp

Filesize
64KB

Download
memory/4952-21-0x000001E1CEF40000-0x000001E1CEFB6000-memory.dmp

Filesize
472KB

Download
memory/4952-22-0x000001E1B6370000-0x000001E1B6382000-memory.dmp

Filesize
72KB

Download
memory/4952-23-0x000001E1B63A0000-0x000001E1B63BE000-memory.dmp

Filesize
120KB

Download