discordrat | 0a6a0baaf4774255ad58385d3e99c2978ab2bf1429071212a52345c5171555da

General

Target

wow.zip
Size

28KB
MD5

a98c71bc37633b0339b7df3e131020a3
SHA1

a2db16bdbb7a8e061778762757379b9f0046ed50
SHA256

0a6a0baaf4774255ad58385d3e99c2978ab2bf1429071212a52345c5171555da
SHA512

fbe4d01746848b5d1c7d3d38f6645153f580a6b19675eea55d1bc64d096a98df216bf0271823a1fafc7f14e65f81bb148c3bdeeb4f35c7a12f3deffd21105a49
SSDEEP

768:Rhj5hbiKvyvHg3ibJtZfJZZ8xgJdbvb9cL4sDL2kAm:R9LmK6/g3i9tPhJdTe1Z

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MDY4MDAwOTA1NjcxODg1OA.Gsgb1p.yKrTtjnMzEfZMtnNe8EGmYm3XDkNU2c5sOLJ5Y
server_id
1250638699088187392

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 4 IoCs

pid	Process
1776	discord nitro generator.exe
280	discord nitro generator.exe
1688	discord nitro generator.exe
1676	discord nitro generator.exe

Loads dropped DLL 45 IoCs

pid	Process
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2896	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2896	7zFM.exe
Token: 35	2896	7zFM.exe
Token: SeRestorePrivilege	2280	7zG.exe
Token: 35	2280	7zG.exe
Token: SeSecurityPrivilege	2280	7zG.exe
Token: SeSecurityPrivilege	2280	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2896	7zFM.exe
2280	7zG.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 320	1776	discord nitro generator.exe	34
PID 1776 wrote to memory of 320	1776	discord nitro generator.exe	34
PID 1776 wrote to memory of 320	1776	discord nitro generator.exe	34
PID 280 wrote to memory of 2704	280	discord nitro generator.exe	36
PID 280 wrote to memory of 2704	280	discord nitro generator.exe	36
PID 280 wrote to memory of 2704	280	discord nitro generator.exe	36
PID 1688 wrote to memory of 1700	1688	discord nitro generator.exe	38
PID 1688 wrote to memory of 1700	1688	discord nitro generator.exe	38
PID 1688 wrote to memory of 1700	1688	discord nitro generator.exe	38
PID 1676 wrote to memory of 324	1676	discord nitro generator.exe	40
PID 1676 wrote to memory of 324	1676	discord nitro generator.exe	40
PID 1676 wrote to memory of 324	1676	discord nitro generator.exe	40

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\wow.zip
1⤵
PID:112

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1168

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\wow.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2896

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\wow\" -ad -an -ai#7zMap8063:86:7zEvent12807
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2280

C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe
"C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1776 -s 596
  2⤵
  - Loads dropped DLL
  PID:320

C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe
"C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 280 -s 596
  2⤵
  - Loads dropped DLL
  PID:2704

C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe
"C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1688 -s 596
  2⤵
  - Loads dropped DLL
  PID:1700

C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe
"C:\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1676 -s 596
  2⤵
  - Loads dropped DLL
  PID:324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\wow\wow\discord nitro generator.exe

Filesize
78KB

MD5
58152cdf93eed1f705ed64ba2f36ed60

SHA1
fac451bb4b4733c855479a0143306d0cf027da80

SHA256
0272a484c96171641cccca7b0315bd5e112c8cb7bf54ce05ad801d31d1c9296f

SHA512
4c3b670625b1ab15b16bf118ac32e13b7548a73f02eefdc0c6c415d09a2998ba2bd20b1ad59397abc788c8cb41633a0d37623c679a85f3996737a44b4f4aadb2

Download Submit
memory/280-26-0x000000013F480000-0x000000013F498000-memory.dmp

Filesize
96KB

Download
memory/1676-50-0x000000013F4F0000-0x000000013F508000-memory.dmp

Filesize
96KB

Download
memory/1688-38-0x000000013F8E0000-0x000000013F8F8000-memory.dmp

Filesize
96KB

Download
memory/1776-14-0x000000013FC90000-0x000000013FCA8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing