discordrat | 83ff41f5ac07fcd96bcfe6cea3b585e9d13ad81f35ffac0c2f10a3a891e71ead

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83ff41f5ac07fcd96bcfe6cea3b585e9d13ad81f35ffac0c2f10a3a891e71ead.exe
Size

490KB
MD5

4f66d83ac5cd767b5d651fc7303e031d
SHA1

2de6b6dcc979bed6905ea3d9514f6599c2cf2184
SHA256

83ff41f5ac07fcd96bcfe6cea3b585e9d13ad81f35ffac0c2f10a3a891e71ead
SHA512

ee66b6f5024d57965d96a4420e15d7aef133005d4aaca254bc6ab0796174a9114c9180f5eb098486ed940c32306cfbe361af156cfa75f9d9f1145807240617fd
SSDEEP

12288:pToPWBv/cpGrU3yyK2ToKLk7xCh6Wjgnu:pTbBv5rUVjTouk7xQ6Wjgu

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyOTQxMzUwMjU5MTE3NjcyNg.G9KrjP.D-XUbbPM5RZnvYvC1sooWa_RQE0mmSjhRciaaA
server_id
1229419379473649684

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2540	merce.exe

Loads dropped DLL 6 IoCs

pid	Process
2024	83ff41f5ac07fcd96bcfe6cea3b585e9d13ad81f35ffac0c2f10a3a891e71ead.exe
2520	WerFault.exe
2520	WerFault.exe
2520	WerFault.exe
2520	WerFault.exe
2520	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2480	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2540	2024	83ff41f5ac07fcd96bcfe6cea3b585e9d13ad81f35ffac0c2f10a3a891e71ead.exe	29
PID 2024 wrote to memory of 2540	2024	83ff41f5ac07fcd96bcfe6cea3b585e9d13ad81f35ffac0c2f10a3a891e71ead.exe	29
PID 2024 wrote to memory of 2540	2024	83ff41f5ac07fcd96bcfe6cea3b585e9d13ad81f35ffac0c2f10a3a891e71ead.exe	29
PID 2024 wrote to memory of 2540	2024	83ff41f5ac07fcd96bcfe6cea3b585e9d13ad81f35ffac0c2f10a3a891e71ead.exe	29
PID 2540 wrote to memory of 2520	2540	merce.exe	30
PID 2540 wrote to memory of 2520	2540	merce.exe	30
PID 2540 wrote to memory of 2520	2540	merce.exe	30

C:\Users\Admin\AppData\Local\Temp\83ff41f5ac07fcd96bcfe6cea3b585e9d13ad81f35ffac0c2f10a3a891e71ead.exe
"C:\Users\Admin\AppData\Local\Temp\83ff41f5ac07fcd96bcfe6cea3b585e9d13ad81f35ffac0c2f10a3a891e71ead.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\merce.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\merce.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2540 -s 596
    3⤵
    - Loads dropped DLL
    PID:2520

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\girl.jpg

Filesize
76KB

MD5
5a8b6cdcaabc2a06a18e234431faccd8

SHA1
bd4fe21178ca64c087f945d035c0810fbb88a5f8

SHA256
f3c7486e571ae4d22a8666faed4a6e05e11654a9c46e033182b7e62ebc948ed7

SHA512
3b598c1850a843619af41984af2f98a46ae7249f2a76c523cd3e67c3c13651b4217229f7b45d743c4fb1e559598370cb8214fa3076c34acb190ac8103e54f1ef

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\merce.exe

Filesize
78KB

MD5
f8b727e03011ec307476de3618e710c8

SHA1
cafcdc4c41380e10846c0aa94edae219181498dc

SHA256
6174e2ead9888152eff065d77adabf5418bda3d3de15f2b7232ea96e0bdf5a4d

SHA512
380ae6d6391179b1ebfab6cd357056f4b042c53726a4da5891aa33e431cea6f26fa80d6b2bced10bf1bcaaf39be02302526ad44a4ecc00346b4f3c525bddeebb

Download Submit
memory/2024-4-0x0000000002250000-0x0000000002252000-memory.dmp

Filesize
8KB

Download
memory/2480-5-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2480-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2480-22-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2540-13-0x000000013F340000-0x000000013F358000-memory.dmp

Filesize
96KB

Download
memory/2540-14-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-16-0x000000001B870000-0x000000001B8F0000-memory.dmp

Filesize
512KB

Download
memory/2540-23-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-24-0x000000001B870000-0x000000001B8F0000-memory.dmp

Filesize
512KB

Download