discordrat | c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

Resubmissions

03-07-2024 18:28

240703-w4qd9asblp 10

03-07-2024 17:34

240703-v5gcaszfrn 10

03-07-2024 17:28

240703-v1z9lszenm 10

Analysis

max time kernel
88s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release.zip
Size

445KB
MD5

06a4fcd5eb3a39d7f50a0709de9900db
SHA1

50d089e915f69313a5187569cda4e6dec2d55ca7
SHA256

c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
SHA512

75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b
SSDEEP

12288:BfJ13+GoLo2d5ifXHE8134QwYOwFSFRiLQI:BKGo8EifSQwYWI

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
4332	Client-built.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	taskmgr.exe
Token: SeSystemProfilePrivilege	3192	taskmgr.exe
Token: SeCreateGlobalPrivilege	3192	taskmgr.exe
Token: SeDebugPrivilege	4472	Discord rat.exe
Token: SeDebugPrivilege	2680	Discord rat.exe
Token: SeDebugPrivilege	4332	Client-built.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe
3192	taskmgr.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\release.zip
1⤵
PID:4424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3124

C:\Users\Admin\Desktop\release\builder.exe
"C:\Users\Admin\Desktop\release\builder.exe"
1⤵
PID:3872

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3192

C:\Users\Admin\Desktop\release\Release\Discord rat.exe
"C:\Users\Admin\Desktop\release\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Users\Admin\Desktop\release\Release\Discord rat.exe
"C:\Users\Admin\Desktop\release\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Users\Admin\Desktop\release\Client-built.exe
"C:\Users\Admin\Desktop\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\release\Client-built.exe

Filesize
78KB

MD5
3cb5e3e667e59e47c079ae2e68a18712

SHA1
1355a321705c340532e0689c89399c2fd279fe33

SHA256
7e73c5bafa376c3aa28fb922519ba798112717197e2e54ba1dc19e4617867d1d

SHA512
cf6620155a74ec4e2dcdd111fd71fb8277c626f26f1ffe9f200a54d0a55c9ebf321eee6de14d9cebb5317ecaed367ddc6f1aff5bbdec52a737e4c22dfd5406ce

Download Submit
memory/3192-12-0x000001BECD110000-0x000001BECD111000-memory.dmp

Filesize
4KB

Download
memory/3192-18-0x000001BECD110000-0x000001BECD111000-memory.dmp

Filesize
4KB

Download
memory/3192-15-0x000001BECD110000-0x000001BECD111000-memory.dmp

Filesize
4KB

Download
memory/3192-16-0x000001BECD110000-0x000001BECD111000-memory.dmp

Filesize
4KB

Download
memory/3192-13-0x000001BECD110000-0x000001BECD111000-memory.dmp

Filesize
4KB

Download
memory/3192-8-0x000001BECD110000-0x000001BECD111000-memory.dmp

Filesize
4KB

Download
memory/3192-7-0x000001BECD110000-0x000001BECD111000-memory.dmp

Filesize
4KB

Download
memory/3192-6-0x000001BECD110000-0x000001BECD111000-memory.dmp

Filesize
4KB

Download
memory/3192-14-0x000001BECD110000-0x000001BECD111000-memory.dmp

Filesize
4KB

Download
memory/3192-17-0x000001BECD110000-0x000001BECD111000-memory.dmp

Filesize
4KB

Download
memory/3872-3-0x0000000004C80000-0x0000000004D12000-memory.dmp

Filesize
584KB

Download
memory/3872-2-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download
memory/3872-5-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/3872-0-0x000000007538E000-0x000000007538F000-memory.dmp

Filesize
4KB

Download
memory/3872-22-0x0000000075380000-0x0000000075B30000-memory.dmp

Filesize
7.7MB

Download
memory/3872-23-0x0000000007FF0000-0x0000000008112000-memory.dmp

Filesize
1.1MB

Download
memory/3872-1-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/3872-4-0x0000000004C30000-0x0000000004C3A000-memory.dmp

Filesize
40KB

Download
memory/4332-27-0x000001F378D70000-0x000001F378D88000-memory.dmp

Filesize
96KB

Download
memory/4472-19-0x00000173A3380000-0x00000173A3398000-memory.dmp

Filesize
96KB

Download
memory/4472-20-0x00000173BD980000-0x00000173BDB42000-memory.dmp

Filesize
1.8MB

Download
memory/4472-21-0x00000173BE260000-0x00000173BE788000-memory.dmp

Filesize
5.2MB

Download