discordrat | 0221bcc32a8271a709de78656db437e596306cddd049585b70376112feb3a486

Resubmissions

29-06-2024 12:07

240629-papsaszfnl 10

29-06-2024 12:00

240629-n6lj3szeqq 10

Analysis

max time kernel
36s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 12:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

main.exe
Size

90KB
MD5

9932b9f4ba73846661de9cd3a1773db1
SHA1

3c03d8e1bcc1881a1dfecf4dd48281163fe7f8de
SHA256

0221bcc32a8271a709de78656db437e596306cddd049585b70376112feb3a486
SHA512

b1bec36207843d568d1ffec9457920afaea79c529a22e2e1d23ab38fda6d0fa39f523dfd2d4ec98485e34e5d880eac9beccafe36b2dc0cc45628145c87b1d047
SSDEEP

1536:Msi8yMgTYYVJtD0wNJBNHPP3lLuBZAWsSTN56WsSTN5MwEYLzMkupBCZr:C8uTtownn3lWsSTdsSTqYLzupYr

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTEzNjc5NTQ5MjA0NzY2NzIzMg.Gw46q5.mJzQH6rMBkFiwBs0CyveXqxrxY_QdRW4PfdzkE
server_id
1208115914978107542

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

main.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation main.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2460 svchost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service
T1102

Processes:

flow ioc

26 discord.com
37 discord.com
23 discord.com
24 discord.com
25 discord.com
38 discord.com
14 discord.com
15 discord.com
20 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2460 svchost.exe
Token: SeShutdownPrivilege 2460 svchost.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

main.exe

description pid process target process

PID 672 wrote to memory of 2460 672 main.exe svchost.exe
PID 672 wrote to memory of 2460 672 main.exe svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	main.exe

pid	process
2460	svchost.exe

flow	ioc
26	discord.com
37	discord.com
23	discord.com
24	discord.com
25	discord.com
38	discord.com
14	discord.com
15	discord.com
20	discord.com

description	pid	process
Token: SeDebugPrivilege	2460	svchost.exe
Token: SeShutdownPrivilege	2460	svchost.exe

description	pid	process	target process
PID 672 wrote to memory of 2460	672	main.exe	svchost.exe
PID 672 wrote to memory of 2460	672	main.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
78KB

MD5
206f64ecbc9b44294b492a9492f272c6

SHA1
cead42b99b1e39cb21eda4f1033006337312f991

SHA256
e1de218212a4f3d2dff3806e5bcd8e24a037648a598455dd1703500a87e1ba12

SHA512
504ff60d659788ee617cf57d12f5991f484319299649e05133f5ae8f1145a78802d20a099e9fd0bc2ed94e9923bf9ac8c3766009b454bbe3f25a8f55b1987da3

Download Submit
memory/672-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2460-13-0x0000026518570000-0x0000026518588000-memory.dmp

Filesize
96KB

Download
memory/2460-14-0x00007FF9181B3000-0x00007FF9181B5000-memory.dmp

Filesize
8KB

Download
memory/2460-15-0x0000026532C40000-0x0000026532E02000-memory.dmp

Filesize
1.8MB

Download
memory/2460-16-0x0000026534730000-0x0000026534C58000-memory.dmp

Filesize
5.2MB

Download
memory/2460-17-0x00007FF9181B3000-0x00007FF9181B5000-memory.dmp

Filesize
8KB

Download