discordrat | 76629cc6ae5d1de771cf074cee28eb1b7e5ce236061a19f76fee039ac8f4d81d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kinito_horror.exe
Size

536KB
MD5

ad96c8a2754e9842815afb1cfdb13581
SHA1

422d8a2a47975ca27ae9824a99e438d4e28ece68
SHA256

76629cc6ae5d1de771cf074cee28eb1b7e5ce236061a19f76fee039ac8f4d81d
SHA512

f4250022659705cb7e75530af1ec64f732942bc3db305d5e3e716eda61cfd8308ee2ca0d89b499696b8e7e2bdf8edae7b1e87387dfdc8dcd210eb9485efb70a8
SSDEEP

12288:fyveQB/fTHIGaPkKEYzURNA/bAg81p46UKXZlyyijD:fuDXTIGaPhEYzUzATqnxXRijD

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MDA4ODk5MTQwODE5MzYyOA.GRW5NI.uFPBjoMjH0IQ-FgxpiJSv246Xes3LsI1_5H1Y8
server_id
1239434854953648229

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

2736 test.exe
Loads dropped DLL 6 IoCs

Processes:

Kinito_horror.exeWerFault.exe

pid process

1936 Kinito_horror.exe
2872 WerFault.exe
2872 WerFault.exe
2872 WerFault.exe
2872 WerFault.exe
2872 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2736	test.exe

pid	process
1936	Kinito_horror.exe
2872	WerFault.exe
2872	WerFault.exe
2872	WerFault.exe
2872	WerFault.exe
2872	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Kinito_horror.exetest.exe

description	pid	process	target process
PID 1936 wrote to memory of 2736	1936	Kinito_horror.exe	test.exe
PID 1936 wrote to memory of 2736	1936	Kinito_horror.exe	test.exe
PID 1936 wrote to memory of 2736	1936	Kinito_horror.exe	test.exe
PID 2736 wrote to memory of 2872	2736	test.exe	WerFault.exe
PID 2736 wrote to memory of 2872	2736	test.exe	WerFault.exe
PID 2736 wrote to memory of 2872	2736	test.exe	WerFault.exe
PID 1936 wrote to memory of 3008	1936	Kinito_horror.exe	WScript.exe
PID 1936 wrote to memory of 3008	1936	Kinito_horror.exe	WScript.exe
PID 1936 wrote to memory of 3008	1936	Kinito_horror.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\Kinito_horror.exe
"C:\Users\Admin\AppData\Local\Temp\Kinito_horror.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2736 -s 596
3⤵
- Loads dropped DLL
PID:2872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\message.vbs"
2⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\message.vbs

Filesize
85B

MD5
0a1ad62f6ca61c35292fbb6a6ba92012

SHA1
a197804ef65d506aae02ee680ac0efa24b40b93d

SHA256
872a5050ddab629a34445e745086a43ab4d293a8ca5d1062b6a066352c678cc4

SHA512
e55cfcb712a564053cd3d831a6b5c1105411cee1f0986c02badd73ecb603fdd2c5bd46aae5d601145c08c41e05f9da7250aecbe4574c5a505511a87e56ce6d34

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe

Filesize
78KB

MD5
ae9c47b621a083a0b0681b7aa9530946

SHA1
6cdd316cb5b2869927b42597b25cf7d495d5f9a4

SHA256
aa3727520be4bc19a78da7f575a9dcc93c0b5c2743725300f942e7dee2eaa3b1

SHA512
ae6330429bb9bc21709162296de375a79f5b8b89b3f4b58a5da12737b2fe0b44570e5eaab8fbb92ce190600fb1fc2a5f91fa425a719d8363a481d99f173bb109

Download Submit
memory/2736-10-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/2736-11-0x000000013F7C0000-0x000000013F7D8000-memory.dmp

Filesize
96KB

Download
memory/2736-16-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-18-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/2736-19-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download