discordrat | 0254f150e1cdc3d3eaed66f447d504546f373bfcc859bd734318cc591396af3b

Analysis

max time kernel
72s
max time network
80s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-05-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AVRgpj.exe
Size

297KB
MD5

dbd179cc8f595d2dcd06ce5f311e1e24
SHA1

479d4a7ad52dc0f6c58af549fcc923597cbc37e0
SHA256

0254f150e1cdc3d3eaed66f447d504546f373bfcc859bd734318cc591396af3b
SHA512

5c9bed345d476d80892a58054cebf814c298bb7a61ad097ece8b75deb9b85004c452c63fca1c0047e00e96650beecf905c513dfeb43ccc0a2ec4261268fb292a
SSDEEP

6144:jIIcrXQ4S33w614mazUBHfSdocWYD24Oa6H8DnJanjrEKBjkX:NcrNS33L10QdrXjR8DnJwjrFaX

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NDI2MjA4MDQ2NzQzOTY4OQ.GEmRlk.y7FwMWQJO6hXjnP2izfKreLqlEjH5raquqQ4R0
server_id
1241111187761004696

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 1 IoCs

Processes:

av.exe

pid process

4480 av.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

9 discord.com
5 discord.com
6 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

av.exe

description pid process

Token: SeDebugPrivilege 4480 av.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

AVRgpj.exe

description pid process target process

PID 2988 wrote to memory of 4480 2988 AVRgpj.exe av.exe
PID 2988 wrote to memory of 4480 2988 AVRgpj.exe av.exe

pid	process
4480	av.exe

flow	ioc
9	discord.com
5	discord.com
6	discord.com

description	pid	process
Token: SeDebugPrivilege	4480	av.exe

description	pid	process	target process
PID 2988 wrote to memory of 4480	2988	AVRgpj.exe	av.exe
PID 2988 wrote to memory of 4480	2988	AVRgpj.exe	av.exe

C:\Users\Admin\AppData\Local\Temp\AVRgpj.exe
"C:\Users\Admin\AppData\Local\Temp\AVRgpj.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\RarSFX0\av.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\av.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\av.exe

Filesize
78KB

MD5
b62264f264fac36f1155abb7a2605c48

SHA1
d247059a5cde478128840949e7d7c421730ab56c

SHA256
072dde2a673c6bf2867464fd96894e5c906eebb0e2716cd6538a2066b49df849

SHA512
7259632249fc4776dd619cc75c289417d9d0571c08aa61031b2ebacfde6241d1264ca1fcd96b7eb3d16456e908cd150adda54ded10f3830507fc0e6858e97f75

Download Submit
memory/4480-6-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp

Filesize
4KB

Download
memory/4480-7-0x0000017919620000-0x0000017919638000-memory.dmp

Filesize
96KB

Download
memory/4480-8-0x0000017933D00000-0x0000017933EC2000-memory.dmp

Filesize
1.8MB

Download
memory/4480-9-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

Filesize
9.9MB

Download
memory/4480-10-0x0000017934400000-0x0000017934926000-memory.dmp

Filesize
5.1MB

Download
memory/4480-11-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp

Filesize
4KB

Download
memory/4480-12-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

Filesize
9.9MB

Download