discordrat | 939fed83d6381ce90f7e69833204f77be7134c62b0fef6f2d8e82722b1a30e9c

Resubmissions

18-04-2024 16:03

240418-thdr8ahc53 10

17-04-2024 17:38

240417-v7pfpaab9w 10

Analysis

max time kernel
30s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

check_pic.exe
Size

91KB
MD5

2a6bcd471e17bf7e517ed75b3f96dfd9
SHA1

2a1318834be42e05de6c1a466958ce475b1bbb58
SHA256

939fed83d6381ce90f7e69833204f77be7134c62b0fef6f2d8e82722b1a30e9c
SHA512

f10bc9f91b0c3b497bb1aea79022948d56979f04f86d3992066ade731a776246231c93c1045a57c70514ddd1f3e0d87d9ec88f166f180667adac8f7c2619099c
SSDEEP

1536:IJs1RO8f2UsgLCerU8FlgksixIgmRx4QMWHzDb7+xbrBFeh1U+f5RzsrN:71QW2CJfj4iSgmRyQVDXgbNFn+f5psN

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwNzQ0Mjc2MTY3MDk4Nzg5Nw.G7QGsq.mV9vPnqHSKpUueDX1U0MR64-D5ZHLEHM-uK5fI
server_id
1228104284198015068

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	check_pic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	check_pic.exe

Executes dropped EXE 3 IoCs

pid	Process
2796	check_ip.exe
4072	check_ip.exe
3156	check_ip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	check_ip.exe
Token: SeDebugPrivilege	4072	check_ip.exe
Token: SeDebugPrivilege	3156	check_ip.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 2796	4360	check_pic.exe	84
PID 4360 wrote to memory of 2796	4360	check_pic.exe	84
PID 2892 wrote to memory of 3156	2892	check_pic.exe	97
PID 2892 wrote to memory of 3156	2892	check_pic.exe	97

C:\Users\Admin\AppData\Local\Temp\check_pic.exe
"C:\Users\Admin\AppData\Local\Temp\check_pic.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\check_ip.exe
  "C:\Users\Admin\AppData\Local\Temp\check_ip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\check_ip.exe
"C:\Users\Admin\AppData\Local\Temp\check_ip.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Users\Admin\AppData\Local\Temp\check_pic.exe
"C:\Users\Admin\AppData\Local\Temp\check_pic.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\check_ip.exe
  "C:\Users\Admin\AppData\Local\Temp\check_ip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\check_pic.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_ip.exe

Filesize
78KB

MD5
1ffb65a70c60aeb329faa730bf27ec08

SHA1
f0801acbb4d7c22650b6858c1385e4dfe4c8eb5b

SHA256
7633848cbdce6f2415f291f24e3c1773c3523ebeb2548a2dc4fd6c9bd6188ed0

SHA512
c7c5a9f84d6bc93cec18c849fab3e817365aff4540c97c2fc547d9d2c4e4d3b72263bafd46c93c721683fd7e071ddf94054f9a9f3008b26a003db39bb8ce2c60

Download Submit
memory/2796-30-0x000002803B290000-0x000002803B2A0000-memory.dmp

Filesize
64KB

Download
memory/2796-14-0x0000028020DB0000-0x0000028020DC8000-memory.dmp

Filesize
96KB

Download
memory/2796-27-0x00007FFC53CE0000-0x00007FFC547A1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-17-0x000002803B390000-0x000002803B552000-memory.dmp

Filesize
1.8MB

Download
memory/2796-16-0x00007FFC53CE0000-0x00007FFC547A1000-memory.dmp

Filesize
10.8MB

Download
memory/2796-18-0x000002803B290000-0x000002803B2A0000-memory.dmp

Filesize
64KB

Download
memory/2796-19-0x000002803BCD0000-0x000002803C1F8000-memory.dmp

Filesize
5.2MB

Download
memory/2892-24-0x00007FFC53CE0000-0x00007FFC547A1000-memory.dmp

Filesize
10.8MB

Download
memory/2892-26-0x00007FFC53CE0000-0x00007FFC547A1000-memory.dmp

Filesize
10.8MB

Download
memory/3156-28-0x00007FFC53CE0000-0x00007FFC547A1000-memory.dmp

Filesize
10.8MB

Download
memory/3156-29-0x000001F273370000-0x000001F273380000-memory.dmp

Filesize
64KB

Download
memory/4072-22-0x000001924AC30000-0x000001924AC40000-memory.dmp

Filesize
64KB

Download
memory/4072-21-0x00007FFC53CE0000-0x00007FFC547A1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-31-0x00007FFC53CE0000-0x00007FFC547A1000-memory.dmp

Filesize
10.8MB

Download
memory/4360-0-0x0000000000500000-0x000000000051E000-memory.dmp

Filesize
120KB

Download
memory/4360-15-0x00007FFC53CE0000-0x00007FFC547A1000-memory.dmp

Filesize
10.8MB

Download
memory/4360-2-0x00007FFC53CE0000-0x00007FFC547A1000-memory.dmp

Filesize
10.8MB

Download