discordrat | 6896541fcc9e39d2ac62cc0237e5ae915f2eee398d2f82d09239caae76e27ed7

General

Target

ImageLoggerV4.exe
Size

6.7MB
MD5

39ea95d798b42f23b9d5f925578cc179
SHA1

1a2bbf8bcfd835a1349f3219817710a0d3a2b89b
SHA256

6896541fcc9e39d2ac62cc0237e5ae915f2eee398d2f82d09239caae76e27ed7
SHA512

2646b17dc40c18f5babda4a6e87c7a6cd921d51404f05a2e238e4a9df7fda1367b0a153baffed7c45e157c443ad515c44cecbe405c07c310407779cd3c817ebd
SSDEEP

196608:cC8bSasKeCGdjbWGe8cliOZKLtfHPLOAQzZNgs:LYIdS8RO6fHDJc

Score

10^/10

discordrat persistence rat rootkit stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5MzQ4MTk4Mzc5MjI1NTA1Ng.G4n7Tu.-ruWZdF2N09-odd0zZspsBjCwqwTg6xYcP4MSg
server_id
1193474814220967958

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 4 IoCs

pid	Process
2668	IMAGELOGGERA.exe
2828	IMAGELOGGERA.exe
1792	IMAGELOGGER.exe
1716	GENERATOR.exe

Loads dropped DLL 12 IoCs

pid	Process
2168	ImageLoggerV4.exe
2668	IMAGELOGGERA.exe
2828	IMAGELOGGERA.exe
1172	Process not Found
1172	Process not Found
2168	ImageLoggerV4.exe
1792	IMAGELOGGER.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001866b-35.dat	upx
behavioral1/memory/2828-37-0x000007FEF5D80000-0x000007FEF61EE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2668	2168	ImageLoggerV4.exe	28
PID 2168 wrote to memory of 2668	2168	ImageLoggerV4.exe	28
PID 2168 wrote to memory of 2668	2168	ImageLoggerV4.exe	28
PID 2668 wrote to memory of 2828	2668	IMAGELOGGERA.exe	29
PID 2668 wrote to memory of 2828	2668	IMAGELOGGERA.exe	29
PID 2668 wrote to memory of 2828	2668	IMAGELOGGERA.exe	29
PID 2168 wrote to memory of 1792	2168	ImageLoggerV4.exe	30
PID 2168 wrote to memory of 1792	2168	ImageLoggerV4.exe	30
PID 2168 wrote to memory of 1792	2168	ImageLoggerV4.exe	30
PID 1792 wrote to memory of 1716	1792	IMAGELOGGER.exe	32
PID 1792 wrote to memory of 1716	1792	IMAGELOGGER.exe	32
PID 1792 wrote to memory of 1716	1792	IMAGELOGGER.exe	32
PID 1716 wrote to memory of 1876	1716	GENERATOR.exe	33
PID 1716 wrote to memory of 1876	1716	GENERATOR.exe	33
PID 1716 wrote to memory of 1876	1716	GENERATOR.exe	33

C:\Users\Admin\AppData\Local\Temp\ImageLoggerV4.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMAGELOGGERA.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMAGELOGGERA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMAGELOGGERA.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMAGELOGGERA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2828
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMAGELOGGER.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMAGELOGGER.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\GENERATOR.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\GENERATOR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1716 -s 596
      4⤵
      Loads dropped DLL
      PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMAGELOGGER.exe

Filesize
722KB

MD5
e98df65ea22c5abb150fbeb8328c0391

SHA1
422e1a8b62bf62244acce9ee65ff1af7edc4c636

SHA256
389e9fd3dcd87ef0d4b34d4c3732f0e3cee99a1229b8e51c82701e2c328bd0db

SHA512
adfab09f138239c0a5da8f14e4d1e07d7cac1fcc1633946cb7fcb217380124e2e21a842f4e54602bde48d209b16a0391efad0cb549174dd4136a32851570556f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMAGELOGGERA.exe

Filesize
5.9MB

MD5
52d0445bc6f03d82acd50722fe1d6ed9

SHA1
fe301c57ed91c78aa18c5c8c96d558a532a5f4d4

SHA256
235c01fb58eb4364e163148d0f2b79bbd8ab6ff99f61b32857cd2c9719e3d861

SHA512
537bc85ab95ece1f5f2f957da6730c29260480c25a93ed4594bb6ae440dce7777de338b3642233b589213704a2b671049c46b20f2f4b2057708673380546974c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\GENERATOR.exe

Filesize
78KB

MD5
3c66eb464c39716b7b6086acfae734ef

SHA1
563a96d902be840dc318fe156218406a82af9e5e

SHA256
498fb5e68b243e0d0fab24bb632ae5f52957f459045a17929dbe7182a722974d

SHA512
5b0a2d2642514af2b1f4bd8f8c5b1a47e7cac426c3ba7e4f5cb9b01597bc0d177747377b8f3a4af31501a4179baba049f0ab4cf6f10462c8495b2409c28eeed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
memory/1716-77-0x000000013F990000-0x000000013F9A8000-memory.dmp

Filesize
96KB

Download
memory/1716-78-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-79-0x000000001AE20000-0x000000001AEA0000-memory.dmp

Filesize
512KB

Download
memory/1716-85-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-86-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-70-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/2828-37-0x000007FEF5D80000-0x000007FEF61EE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing