discordrat | 4d456bc174e4726c8da7186cf48de99f2604544af91d8b5aeaa3fbcafdeb6c26

General

Target

leokadia film/leosia s‮4pm.exe
Size

1.1MB
MD5

3d988d51bb78c7f05d1d9d621704bd8b
SHA1

63d9eb61ef9c3a8c06e551651b8ad191f5cbe5a6
SHA256

f9c95d44186d306f43e7c7b0be319d9feaba04226ce016b56949916c5185c007
SHA512

c6ccf1423ab8bb6821521810b1247b288bb27dd00047a9deb5dc81be215a9a70f41bc44efce93638056e3a20b9f6efa2b552dae0b2483b613d5302bbcad25a62
SSDEEP

24576:9uDXTIGaPhEYzUzA0x4w0LzbUNfGL4w0LzbUNHFMkcY4VV+XqyPJcOtk3MrS6y:gDjlabwz9Wvb8vbgFxcYZXfX+kS6y

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MzY3MDczMTU5MDcyOTc5OQ.G25Fr1.zUYZMU8iXioqif_5Uws8Eat0XjMaXMVbm9OT_0
server_id
1243671022599802944

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	leosia s‮4pm.exe

Executes dropped EXE 1 IoCs

pid	Process
3284	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
43	discord.com
13	discord.com
16	discord.com
21	discord.com
42	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	leosia s‮4pm.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3060	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	vlc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	Client-built.exe
Token: 33	2740	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2740	AUDIODG.EXE
Token: 33	3060	vlc.exe
Token: SeIncBasePriorityPrivilege	3060	vlc.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 3284	1248	leosia s‮4pm.exe	82
PID 1248 wrote to memory of 3284	1248	leosia s‮4pm.exe	82
PID 1248 wrote to memory of 3060	1248	leosia s‮4pm.exe	84
PID 1248 wrote to memory of 3060	1248	leosia s‮4pm.exe	84

C:\Users\Admin\AppData\Local\Temp\leokadia film\leosia s‮4pm.exe
"C:\Users\Admin\AppData\Local\Temp\leokadia film\leosia s‮4pm.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\leokadia film\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\leokadia film\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\leokadia film\leokadia.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\leokadia film\Client-built.exe

Filesize
78KB

MD5
2a562de28a4a276c5fd1496b298bf78c

SHA1
fa9be444f9dd748c9e244f9590e210322d619127

SHA256
cf49718a7221223c4ac270b07f1775f82424a2edda1788fa47a743249c9ebe1b

SHA512
28aede7a8c9572a5f1d68ff32b7fe4a47c8382f958f71df6cf5425e5e4ecc015c321b697334790b5f0615455761ace07854213dff0d1c3536c3ebeea5a851d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\leokadia film\leokadia.mp4

Filesize
470KB

MD5
1e98d436a0b9f09aa3944e545ec8764d

SHA1
f9c1aa370097c6849349d2453419e19be2e48eac

SHA256
04d524c0b369b29199bb956576c18be7933ad25db9a836e205d48850fb664fdb

SHA512
387fa769d3f8c78efc36a76eb464dd548e4c7acd0e46eeacc2c324f343773e976d7aca18cb0b16379f5cb2a06def9f09fbe80d038a001d688b2d4321999b95d2

Download Submit
memory/3060-47-0x00007FFF35510000-0x00007FFF35521000-memory.dmp

Filesize
68KB

Download
memory/3060-89-0x0000018866CE0000-0x0000018867D90000-memory.dmp

Filesize
16.7MB

Download
memory/3060-46-0x00007FFF36840000-0x00007FFF36851000-memory.dmp

Filesize
68KB

Download
memory/3060-49-0x0000018866CE0000-0x0000018867D90000-memory.dmp

Filesize
16.7MB

Download
memory/3060-34-0x00007FFF370F0000-0x00007FFF37108000-memory.dmp

Filesize
96KB

Download
memory/3060-32-0x00007FFF36A40000-0x00007FFF36A74000-memory.dmp

Filesize
208KB

Download
memory/3060-31-0x00007FF6137A0000-0x00007FF613898000-memory.dmp

Filesize
992KB

Download
memory/3060-40-0x00007FFF37420000-0x00007FFF37431000-memory.dmp

Filesize
68KB

Download
memory/3060-39-0x00007FFF3D410000-0x00007FFF3D42D000-memory.dmp

Filesize
116KB

Download
memory/3060-38-0x00007FFF3D530000-0x00007FFF3D541000-memory.dmp

Filesize
68KB

Download
memory/3060-37-0x00007FFF37090000-0x00007FFF370A7000-memory.dmp

Filesize
92KB

Download
memory/3060-48-0x00007FFF2DF40000-0x00007FFF2DF5B000-memory.dmp

Filesize
108KB

Download
memory/3060-45-0x00007FFF36900000-0x00007FFF36911000-memory.dmp

Filesize
68KB

Download
memory/3060-36-0x00007FFF370B0000-0x00007FFF370C1000-memory.dmp

Filesize
68KB

Download
memory/3060-35-0x00007FFF370D0000-0x00007FFF370E7000-memory.dmp

Filesize
92KB

Download
memory/3060-33-0x00007FFF23A10000-0x00007FFF23CC6000-memory.dmp

Filesize
2.7MB

Download
memory/3060-44-0x00007FFF36FD0000-0x00007FFF36FE8000-memory.dmp

Filesize
96KB

Download
memory/3060-43-0x00007FFF373F0000-0x00007FFF37411000-memory.dmp

Filesize
132KB

Download
memory/3060-42-0x00007FFF2E5D0000-0x00007FFF2E611000-memory.dmp

Filesize
260KB

Download
memory/3060-41-0x00007FFF25ED0000-0x00007FFF260DB000-memory.dmp

Filesize
2.0MB

Download
memory/3284-19-0x000002734E070000-0x000002734E232000-memory.dmp

Filesize
1.8MB

Download
memory/3284-20-0x00007FFF45CB0000-0x00007FFF45EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3284-25-0x000002734E870000-0x000002734ED98000-memory.dmp

Filesize
5.2MB

Download
memory/3284-23-0x00007FFF45CB0000-0x00007FFF45EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3284-69-0x00007FFF45CB0000-0x00007FFF45EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3284-70-0x00007FFF45CB0000-0x00007FFF45EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3284-16-0x00000273339D0000-0x00000273339E8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing