discordrat | 4d12cef8e56f92b53f548491b58deb9e774c3739301b7d21d87d62cf1256831b

Analysis

max time kernel
39s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prestigev2.exe
Size

470KB
MD5

ab5ff00162c761144b4d02486b3c0b08
SHA1

102111e6d7cd70274a2b9e5c57d3099ee8f0e79f
SHA256

4d12cef8e56f92b53f548491b58deb9e774c3739301b7d21d87d62cf1256831b
SHA512

18a2fe795c92d00b0523d460c2f460515d9b39979c694a93f4d47f13f429f518b94db0c39c176d32d1e9ecb84eaa7e33e4d53814b31c8d206296ad9543b696ba
SSDEEP

6144:XE+yclwQKjdn+WPtYVJIoBfUuC4jI4eYOywyKQtgKuXQAZKRZS5jMfUoTf:XBdlwHRn+WlYV+934jQYOywjggga2j

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyNzQyMzE4MDEwMTEyNDEyNw.GQOmio.DYcpMY415SdKKyjsQySmQRxNjb4DdWgtJzAzRQ
server_id
1233198387088719893

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2148	prestigev2.exe

Loads dropped DLL 6 IoCs

pid	Process
2184	prestigev2.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2148	2184	prestigev2.exe	28
PID 2184 wrote to memory of 2148	2184	prestigev2.exe	28
PID 2184 wrote to memory of 2148	2184	prestigev2.exe	28
PID 2184 wrote to memory of 2148	2184	prestigev2.exe	28
PID 2148 wrote to memory of 2760	2148	prestigev2.exe	29
PID 2148 wrote to memory of 2760	2148	prestigev2.exe	29
PID 2148 wrote to memory of 2760	2148	prestigev2.exe	29

C:\Users\Admin\AppData\Local\Temp\prestigev2.exe
"C:\Users\Admin\AppData\Local\Temp\prestigev2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\prestigev2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\prestigev2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2148 -s 600
    3⤵
    - Loads dropped DLL
    PID:2760

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\prestigev2.exe

Filesize
78KB

MD5
31ff6dff28087c4fc5063bcf1c8c5fa3

SHA1
23efd0b9c4332fc1cdba826397118f6ed9014b07

SHA256
6532fc3a9276a748d0546613f84e64fed0c5fad50ef27e31914366aec68aa023

SHA512
ceb4f12fb87b90b696229e1ae049aaab1f7adf9d5fc4b1005dcbcb1ea97684d03d2f8a548586dead15c607c0dbdcd6e707ccd1dfb8edf30f3914482e34072807

Download Submit
memory/2148-11-0x000000013FCE0000-0x000000013FCF8000-memory.dmp

Filesize
96KB

Download
memory/2148-12-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2148-13-0x000000001AE40000-0x000000001AEC0000-memory.dmp

Filesize
512KB

Download
memory/2148-19-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-4-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download