Malware Analysis Report

2024-09-11 09:24

Sample ID 240526-nhs91sge5x
Target a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132
SHA256 a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132
Tags
discordrat persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132

Threat Level: Known bad

The file a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132 was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer

Discord RAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-26 11:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 11:24

Reported

2024-05-26 11:26

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
PID 1564 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe

"C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.130.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 234.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

MD5 a7e614f76e323a38fac45a85d5edaa0b
SHA1 90258c164b2da8cc44d0e1a02583c8559f94d57f
SHA256 5900b6bc03b7829150eb05de0053a0aa4d0f1cf1b57f11018eb23848132e8c7a
SHA512 ff7d4810de033e8ab2f75901d8b4306e84814ed73946fe26d50940d04948633367468bdadda80e2eea1465401314f19d2d5f7dabbeeb956a7b2a255567b5e184

memory/4228-14-0x00007FFCA7783000-0x00007FFCA7785000-memory.dmp

memory/4228-15-0x000001479ABE0000-0x000001479ABF8000-memory.dmp

memory/4228-16-0x00000147B53A0000-0x00000147B5562000-memory.dmp

memory/4228-17-0x00007FFCA7780000-0x00007FFCA8241000-memory.dmp

memory/4228-18-0x00000147B5AA0000-0x00000147B5FC8000-memory.dmp

memory/4228-19-0x00007FFCA7783000-0x00007FFCA7785000-memory.dmp

memory/4228-20-0x00007FFCA7780000-0x00007FFCA8241000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 11:24

Reported

2024-05-26 11:26

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
PID 3068 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
PID 3068 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
PID 3068 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
PID 2272 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe C:\Windows\system32\WerFault.exe
PID 2272 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe C:\Windows\system32\WerFault.exe
PID 2272 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe

"C:\Users\Admin\AppData\Local\Temp\a3402ffe42ea57750ad44efb32044bcd39c170681bac3ad035ef8d0d31659132.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2272 -s 596

Network

N/A

Files

memory/3068-4-0x0000000000950000-0x0000000000952000-memory.dmp

memory/2460-5-0x0000000000100000-0x0000000000102000-memory.dmp

memory/2460-6-0x00000000002D0000-0x00000000002D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

MD5 a7e614f76e323a38fac45a85d5edaa0b
SHA1 90258c164b2da8cc44d0e1a02583c8559f94d57f
SHA256 5900b6bc03b7829150eb05de0053a0aa4d0f1cf1b57f11018eb23848132e8c7a
SHA512 ff7d4810de033e8ab2f75901d8b4306e84814ed73946fe26d50940d04948633367468bdadda80e2eea1465401314f19d2d5f7dabbeeb956a7b2a255567b5e184

memory/2272-13-0x000000013F980000-0x000000013F998000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\art.jpg

MD5 ac31fc8c103f1266ee1a3edf69fa87f5
SHA1 20e2b74440d590e10b5073e0f010c0077086d912
SHA256 3bd843dae0143aee1c796499a3bfc50711a7f61e5f9fbfa5d0fe656e9b973332
SHA512 fc8a8e783e2cf4b7a8ddab5e16471a79e1750f4701364f94e5d0884ceb651b02a56ed69b59a0c182b8d494d0af26c4d15b9b64bec353969c40810bf43fbe005b

memory/2460-20-0x00000000002D0000-0x00000000002D1000-memory.dmp