discordrat | 4c8e733771f1fa36c2607d319954f2f811b8690861ef556947e78c5540e98021

Analysis

max time kernel
1477s
max time network
1777s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
04-07-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

47e27fe6c24d12e2a430ba5954110af8
SHA1

dd2b8be1df875fd0ad4ae8fa0cd154b220744461
SHA256

4c8e733771f1fa36c2607d319954f2f811b8690861ef556947e78c5540e98021
SHA512

655539eb993cb59bff8937b2e21e699ad01fa39f0f605708559afee01a0f6d35c7d99d7d03cc2eb44e691bb4851fa7d140838016fe006f74a20e4569a196de2c
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+4PIC:5Zv5PDwbjNrmAE+cIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NTUzNzM1MTgwMzgwMTYwNA.Gaum03.OIWIumUQ6-odVL7pZDOGnAoFrwedhUBhG-Lngk
server_id
1255536373763539074

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service
T1102

Processes:

flow ioc

1 discord.com
3 discord.com
6 discord.com
7 discord.com
8 discord.com
45 discord.com
50 discord.com
51 discord.com

flow	ioc
1	discord.com
3	discord.com
6	discord.com
7	discord.com
8	discord.com
45	discord.com
50	discord.com
51	discord.com

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client-built.exe

description pid process

Token: SeDebugPrivilege 2808 Client-built.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

2952 MiniSearchHost.exe

description	pid	process
Token: SeDebugPrivilege	2808	Client-built.exe

pid	process
2952	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4084

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1672

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2808-0-0x000001470DEF0000-0x000001470DF08000-memory.dmp

Filesize
96KB

Download
memory/2808-1-0x00007FFB5D213000-0x00007FFB5D215000-memory.dmp

Filesize
8KB

Download
memory/2808-2-0x0000014728630000-0x00000147287F2000-memory.dmp

Filesize
1.8MB

Download
memory/2808-3-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

Filesize
10.8MB

Download
memory/2808-4-0x0000014728E80000-0x00000147293A8000-memory.dmp

Filesize
5.2MB

Download
memory/2808-5-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

Filesize
10.8MB

Download