discordrat | 363a3e73e2832794741348014d8dc97b3366a937c4439026ea91e9046ff8b6b9

Analysis

max time kernel
131s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

monoware.sfx.exe
Size

775KB
MD5

3c3c25d4381b19bbb2f632c64d3c4e56
SHA1

7b4caba9c26b29241e7eb0741c5f4a9114ccc677
SHA256

363a3e73e2832794741348014d8dc97b3366a937c4439026ea91e9046ff8b6b9
SHA512

cc66c6e21518e5289cf683f574cf9c787152b72e5c51599f35970257372caf5b907d98544fe7b38ed07f71f5be900c3290d8d2b72495ce220856d6f3114053f9
SSDEEP

24576:XuDXTIGaPhEYzUzA0qbRiheyCpN1gbZyAZ:eDjlabwz9WCrONMZ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NjE3NzQ1MDg3OTA5MDY5OA.GQYQs_.CWWy01exlwJSA5-Ryb8HsR5UWeE5uOF58bPcZs
server_id
1243377281129254984

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	monoware.sfx.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	monoware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	monoware.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2884	2084	monoware.sfx.exe	94
PID 2084 wrote to memory of 2884	2084	monoware.sfx.exe	94

C:\Users\Admin\AppData\Local\Temp\monoware.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\monoware.sfx.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\monoware.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\monoware.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\monoware.exe

Filesize
78KB

MD5
8da8b05938831e8e547b60526236ece7

SHA1
c27806eed416f8676548d89aa0207d028f800234

SHA256
aed0081d6aa8fa3b29d155c6bb45e9278b4562102f8d4497a51db56871a74134

SHA512
552e09c36ec48d3117209546e70b1322b929d3f5c59f49af4e66f51c5123230bec766a7315de022027afc0d41920fa7f86f42d82e4f000ac73bab08136221ec6

Download Submit
memory/2884-14-0x000002D6BBA40000-0x000002D6BBA58000-memory.dmp

Filesize
96KB

Download
memory/2884-15-0x00007FFEF7333000-0x00007FFEF7335000-memory.dmp

Filesize
8KB

Download
memory/2884-16-0x000002D6D61B0000-0x000002D6D6372000-memory.dmp

Filesize
1.8MB

Download
memory/2884-17-0x00007FFEF7330000-0x00007FFEF7DF1000-memory.dmp

Filesize
10.8MB

Download
memory/2884-18-0x000002D6D7330000-0x000002D6D7858000-memory.dmp

Filesize
5.2MB

Download
memory/2884-19-0x00007FFEF7330000-0x00007FFEF7DF1000-memory.dmp

Filesize
10.8MB

Download