discordrat | 02e896adebf162d071bf730e2c5eed52e207efe3d7eeafc094acc5b2cb763b52

Analysis

max time kernel
670s
max time network
679s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tulpical_V3 lock.exe
Size

736KB
MD5

adb97c2b434b39f7aec3240097430b8a
SHA1

33575f816b3e281aa327e2f07f673bd1fab25a81
SHA256

02e896adebf162d071bf730e2c5eed52e207efe3d7eeafc094acc5b2cb763b52
SHA512

cf85986f9527730964d92af0cc556bbbc4ad6eadca43af7427daf4addace189e9b12bebf146226df74c1882c864991b9a859decf6a1fd6d8b78bbfdd7e83ba66
SSDEEP

12288:aCQjgAtAHM+vetZxF5EWry8AJGy0kWyOV5b+mkSAgjxbH93kZ:a5ZWs+OZVEWry8AFi9Vx+mkSTRH93C

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMTA5OTM2NzcyMTc5NTYzNA.GqkwcX.UOjwiFdGIpv_jY2sOCDo02zExIyfhOxTIiOv6c
server_id
1251241660453752944

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Tulpical_V3 lock.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Tulpical_V3 lock.exe

Executes dropped EXE 1 IoCs

Processes:

lock image.exe

pid process

208 lock image.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lock image.exe

description pid process

Token: SeDebugPrivilege 208 lock image.exe

pid	process
208	lock image.exe

description	pid	process
Token: SeDebugPrivilege	208	lock image.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Tulpical_V3 lock.exe

description	pid	process	target process
PID 3924 wrote to memory of 208	3924	Tulpical_V3 lock.exe	lock image.exe
PID 3924 wrote to memory of 208	3924	Tulpical_V3 lock.exe	lock image.exe

C:\Users\Admin\AppData\Local\Temp\Tulpical_V3 lock.exe
"C:\Users\Admin\AppData\Local\Temp\Tulpical_V3 lock.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\lock image.exe
  "C:\Users\Admin\AppData\Local\Temp\lock image.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lock image.exe

Filesize
78KB

MD5
eb574fb1d907ffd85ce1854f5585d67a

SHA1
6b72bc26e0f282010c1c1e5589e130d250d28bb5

SHA256
1a3072f72b2747d1bbe6f8aec7945d7753c061cd02ab1a1632963d13ba9e61bd

SHA512
0df1476ff05cc2c34e9c84ac4ba7760c233755f8a9f031ac33241aab71cfc1fbba20344b1403620c7f7695360d30ab124cf3557bff4730bd10f8f8b71a580c6f

Download Submit
memory/208-14-0x00007FF8F5683000-0x00007FF8F5685000-memory.dmp

Filesize
8KB

Download
memory/208-15-0x0000015F1D770000-0x0000015F1D788000-memory.dmp

Filesize
96KB

Download
memory/208-16-0x0000015F37D50000-0x0000015F37F12000-memory.dmp

Filesize
1.8MB

Download
memory/208-17-0x00007FF8F5680000-0x00007FF8F6141000-memory.dmp

Filesize
10.8MB

Download
memory/208-18-0x00007FF8F5680000-0x00007FF8F6141000-memory.dmp

Filesize
10.8MB

Download