discordrat | 8cc512bb06d9e61f5f6b35a5d9df7fc185bd03989213097123f2484ce56acf5d

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Supra‮gpj.exe
Size

582KB
MD5

bca697f38134aaccd4c12c627a485cd4
SHA1

946ce90fe6191b15bd76d2908a50a3590778ce3f
SHA256

8cc512bb06d9e61f5f6b35a5d9df7fc185bd03989213097123f2484ce56acf5d
SHA512

ee44d0c84d3a377c954f9abd6d1b8047e3bebcf2da0b9f638898e76af1978c9b50cfeea11753a2e1f5358042b995527def12cff2447fafe6f4ebca1b3c554494
SSDEEP

12288:9CQjgAtAHM+vetZxF5EWry8AJGy0yWphU0Km1pmylo3jwE:95ZWs+OZVEWry8AFBB0L+0E

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NDM2Nzk4MjY3OTk0OTMyMg.Gv6eq-.Uq2lfr6CoxdEIxVy6jaTNSsvh2dmcKyuVrJL9k
server_id
1242477718638170204

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2776	Client-built.exe

Loads dropped DLL 6 IoCs

pid	Process
3016	Supra‮gpj.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe
2804	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2776	3016	Supra‮gpj.exe	29
PID 3016 wrote to memory of 2776	3016	Supra‮gpj.exe	29
PID 3016 wrote to memory of 2776	3016	Supra‮gpj.exe	29
PID 2776 wrote to memory of 2804	2776	Client-built.exe	30
PID 2776 wrote to memory of 2804	2776	Client-built.exe	30
PID 2776 wrote to memory of 2804	2776	Client-built.exe	30

C:\Users\Admin\AppData\Local\Temp\Supra‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\Supra‮gpj.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2776 -s 596
    3⤵
    - Loads dropped DLL
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
c9f6d0a2a978429bff3496d993339f06

SHA1
58cf521791e969f1edecaf0e1e15fe8467e8205d

SHA256
b1017a29cab062a104a5b946fbc23057738e7227289e1cf115cf82d9257e17b1

SHA512
71bbf11f06faaf4fb355e33fd88923f02e7f25a7da667f5d4b620e697c9f072e8a34e3c0c745858d6b17dcb85e01a6c5962e98cbdd7097d0a442141470c02304

Download Submit
memory/2776-11-0x000007FEF5223000-0x000007FEF5224000-memory.dmp

Filesize
4KB

Download
memory/2776-12-0x000000013FD00000-0x000000013FD18000-memory.dmp

Filesize
96KB

Download
memory/2776-17-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-19-0x000007FEF5223000-0x000007FEF5224000-memory.dmp

Filesize
4KB

Download
memory/2776-20-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-21-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-4-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download