discordrat | 56c4d335ac7734b3fcc93e70dc43216d571cfd52117ebda2dd5dae7d070a5d9c

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxAdminPanelNewLeakedgpj.exe
Size

376KB
MD5

211bd65a74765df0e85a8eedbc2e98c2
SHA1

d68318a9a00483d49f34d5a3573cf981308aa31f
SHA256

56c4d335ac7734b3fcc93e70dc43216d571cfd52117ebda2dd5dae7d070a5d9c
SHA512

0ef222608495c1eefb4a786663542c73c9c3a5160e7b73e678a0bdbea9824985ab4bd4d3f64fa0cb8a71b89c7e07f378a45851d79318b6f523f41fa61a58ebc7
SSDEEP

6144:PE+yclwQKjdn+WPtYVJIoBfYrkhFR1ahrG5/+ZErz:PBdlwHRn+WlYV+5rkhFR18rG5H

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NzYwNjA2ODE3NTk2MjEzMw.G3Bv2h.Oi-mmhg6ZK_uTFZKjQiDOwr-wcEm-Hq0xizKtQ
server_id
1247606720864321577

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 1 IoCs

Processes:

backdoor.exe

pid process

2520 backdoor.exe
Loads dropped DLL 6 IoCs

Processes:

RobloxAdminPanelNewLeakedgpj.exeWerFault.exe

pid process

2660 RobloxAdminPanelNewLeakedgpj.exe
2548 WerFault.exe
2548 WerFault.exe
2548 WerFault.exe
2548 WerFault.exe
2548 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2632 DllHost.exe

pid	process
2520	backdoor.exe

pid	process
2660	RobloxAdminPanelNewLeakedgpj.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe
2548	WerFault.exe

pid	process
2632	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

RobloxAdminPanelNewLeakedgpj.exebackdoor.exe

description	pid	process	target process
PID 2660 wrote to memory of 2520	2660	RobloxAdminPanelNewLeakedgpj.exe	backdoor.exe
PID 2660 wrote to memory of 2520	2660	RobloxAdminPanelNewLeakedgpj.exe	backdoor.exe
PID 2660 wrote to memory of 2520	2660	RobloxAdminPanelNewLeakedgpj.exe	backdoor.exe
PID 2660 wrote to memory of 2520	2660	RobloxAdminPanelNewLeakedgpj.exe	backdoor.exe
PID 2520 wrote to memory of 2548	2520	backdoor.exe	WerFault.exe
PID 2520 wrote to memory of 2548	2520	backdoor.exe	WerFault.exe
PID 2520 wrote to memory of 2548	2520	backdoor.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxAdminPanelNewLeakedgpj.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2520 -s 596
3⤵
- Loads dropped DLL
PID:2548

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Robloxpanel.png

Filesize
25KB

MD5
94175ab0f8189f04b8ceb52470cc68db

SHA1
55b702459060e145274d8da5c5cb21232d6d8539

SHA256
e5516ac4ee47d6945cc32cf093c800737301fe1adba1862cffa9e346b0aa1262

SHA512
2df0ecf011adcdf7ec9a38cff8833cf5064011110bdb65e59c79e5c73aeb54e2de607ec38b453526041c27f898af56b23ea6ea3fdd7f575cc68ab71fe7dc3da2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
86KB

MD5
da73d03e7e63df84355ca62baaefae8a

SHA1
4a24296ce0275ab6d5439a155a17d8de80d549d5

SHA256
16cef3c03efe6d11b261709e330058536b7bd186fad81e932f2a9db1cef78610

SHA512
7d8c28fa0ee62228104af1bd25aefe3f18fea9e9983d1cbcfa2f18f9f2832c5471fe4f545e775f6ed775802b3d687d81c1a14292af3406f6ef613c39e0c617e7

Download Submit
memory/2520-13-0x000000013F150000-0x000000013F16A000-memory.dmp

Filesize
104KB

Download
memory/2632-5-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2632-6-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2632-20-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2660-4-0x0000000003000000-0x0000000003002000-memory.dmp

Filesize
8KB

Download