discordrat | 134bc640e8cc14d6c30f91407a8c812a63319072343bbf8a6bc2aaf3a902d44b

Analysis

max time kernel
1641s
max time network
1652s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxRule34.exe
Size

505KB
MD5

634012a39686513995ecbbaf04235a0a
SHA1

6204df4370ed114bde2caac305f96b1954e68504
SHA256

134bc640e8cc14d6c30f91407a8c812a63319072343bbf8a6bc2aaf3a902d44b
SHA512

b8881eb85dc001d4c256a60dbc141592f89ffded8f90d2240c80d6af6468a34e1ac52e288170c0296cf1afe735e7ef7da6a4738adcfc253fded53c7c56ebe002
SSDEEP

12288:TyveQB/fTHIGaPkKEYzURNAwbAg8ox4CA9ndmc:TuDXTIGaPhEYzUzA0qV9nkc

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NDI4MDkwNjYzODc1Mzg2Mw.GB5zNE.lgu4CSBwMUVxaeb6e0u9sFYW6gLtr8IglmywhI
server_id
1189676766084735048

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RobloxRule34.exe

Executes dropped EXE 1 IoCs

pid	Process
1112	Client-built.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	Client-built.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1112	3468	RobloxRule34.exe	80
PID 3468 wrote to memory of 1112	3468	RobloxRule34.exe	80

C:\Users\Admin\AppData\Local\Temp\RobloxRule34.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxRule34.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
c2207566970ad0379a62da59e3c4caff

SHA1
59759d884744c5c025fe800a0b86b63555f7bfe9

SHA256
61247d55a049a1a16833a6be90b50ceef20340db7b31181b07d95cbc345dd1ba

SHA512
2b6a2684c1a5db78fc1080c26b7263bb5c04eb760d142369cd4d987b35ff9fd76092fe3ceae0633f26f98a12b4d1b5b4aca7071a7022d22d264237dbf1a488bc

Download Submit
memory/1112-12-0x0000022853EA0000-0x0000022853EB8000-memory.dmp

Filesize
96KB

Download
memory/1112-13-0x00007FFEFACA3000-0x00007FFEFACA5000-memory.dmp

Filesize
8KB

Download
memory/1112-14-0x000002286E4C0000-0x000002286E682000-memory.dmp

Filesize
1.8MB

Download
memory/1112-15-0x00007FFEFACA0000-0x00007FFEFB761000-memory.dmp

Filesize
10.8MB

Download
memory/1112-16-0x00007FFEFACA0000-0x00007FFEFB761000-memory.dmp

Filesize
10.8MB

Download