discordrat | 720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe
Size

456KB
MD5

b1dd06c7737e0f8d7b2b390aa99e7900
SHA1

02e3374698f22818cb73b6736e197aa041ea2506
SHA256

720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f
SHA512

2156784311f9f8114d6729dd3433dbd1951d13bdc3a89273686039c7a18d626bb7c267dcd459e2c9d6b44065085ae2faeeceb9efa691b8930b972a81a049211d
SSDEEP

6144:JE+yclwQKjdn+WPtYVJIoBfORi4ImOkMhU1YIG/:JBdlwHRn+WlYV+3RojRU1Y7

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MzA2Nzk5NzQ4NTI3MzE3Mg.G6piH7.kZKxc7d4uXnq1WYJp43XerNKVtE4_zPhSDbgkM
server_id
1243088293344841749

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 1 IoCs

Processes:

Necurity.exe

pid process

2484 Necurity.exe

pid	process
2484	Necurity.exe

Loads dropped DLL 6 IoCs

Processes:

720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exeWerFault.exe

pid	process
2220	720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2216 DllHost.exe

pid	process
2216	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exeNecurity.exe

description	pid	process	target process
PID 2220 wrote to memory of 2484	2220	720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe	Necurity.exe
PID 2220 wrote to memory of 2484	2220	720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe	Necurity.exe
PID 2220 wrote to memory of 2484	2220	720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe	Necurity.exe
PID 2220 wrote to memory of 2484	2220	720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe	Necurity.exe
PID 2484 wrote to memory of 2404	2484	Necurity.exe	WerFault.exe
PID 2484 wrote to memory of 2404	2484	Necurity.exe	WerFault.exe
PID 2484 wrote to memory of 2404	2484	Necurity.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe
"C:\Users\Admin\AppData\Local\Temp\720f911303c85d3a7aa374a01d3d926d8db0cf4981971fb80651a3e1b021114f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\Necurity.exe
"C:\Users\Admin\AppData\Local\Temp\Necurity.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2484 -s 596
3⤵
- Loads dropped DLL
PID:2404

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\necurity.png

Filesize
4KB

MD5
5eb37c011ce35222ae21a559968b49ac

SHA1
69b03f51b8cee870d2d8c07eb0564737bb65532b

SHA256
af8a484b863eda12986799261d0edbfdc28edb9fbe72fd25b1ef2bec08c93aac

SHA512
79d09e40e41475d44d3aa690afeaa4fe9b1b951a43eed87f1e074a9524f596fc7b97de06cd6d9cfbb24e0983e4f75433c24965a9d7ebea8736ecc3f776260fb0

Download Submit
\Users\Admin\AppData\Local\Temp\Necurity.exe

Filesize
78KB

MD5
1697f0e2cb9b4ea2c0b061f5f5a09748

SHA1
c52c7bbd38cf30e996650756e0208c9a7e293c9e

SHA256
8788dcec9f8eab91e3b27aec2a8fde1981977e2f78cfa208635639229c78f6cd

SHA512
9abb578800122c2d997fb899f944c89f3e3c811e3cde2a6de125dfaf7ddc359140d42bfce965c4d00c9e3f1a3aea201741a5a9688ca24458b1f865a521e3c65c

Download Submit
memory/2216-5-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/2216-6-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/2216-20-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/2220-4-0x00000000009B0000-0x00000000009B2000-memory.dmp

Filesize
8KB

Download
memory/2484-13-0x000000013F180000-0x000000013F198000-memory.dmp

Filesize
96KB

Download