discordrat | 3c2964a659a4c597aea369db6c7faddd4b314c699839249ea6392feaa8b479d2

General

Target

SalesAndTales/SalesAndTales/TalesAndSales.exe
Size

4.1MB
MD5

5071e6c3739ca8d176036501ff7b7692
SHA1

0e0ef970dc94a375a28b61baff395043c920484b
SHA256

dc8d4767a1022103802ec64fe86960bea13dd03ff1d0365c2519c7edc07b4841
SHA512

1c9e56a50ac7a3ee175d70b1e456cd69279fe94aac95ea66f4d1f782d2687b33f9c7b0a20d29a49ed06508279dc34f2d4d05ad5fb396a526226e27e93614753f
SSDEEP

98304:iUYt9cvtfCbuDlZM5Arxle1K+O9FbcBvzc8aEB:iUc9cv9EQ7oOx01awV

Score

10^/10

discordrat evasion persistence rat rootkit stealer themida trojan

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MDIzODIzNTAxNjM2NDE0Mw.G_GGTS.fEW6l1WLOhjwEn42Roi-bpXTe-ZL_rK7J-jOto
server_id
1260238572166844487

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TalesAndSales.exe

Disables Task Manager via registry modification
evasion

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TalesAndSales.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TalesAndSales.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2420-9-0x00007FF70F610000-0x00007FF71014E000-memory.dmp	themida
behavioral2/memory/2420-10-0x00007FF70F610000-0x00007FF71014E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TalesAndSales.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
17	discord.com
22	discord.com
27	discord.com
13	discord.com
14	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2420	TalesAndSales.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4948	SCHTASKS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	TalesAndSales.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4948	2420	TalesAndSales.exe	87
PID 2420 wrote to memory of 4948	2420	TalesAndSales.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SalesAndTales\SalesAndTales\TalesAndSales.exe
"C:\Users\Admin\AppData\Local\Temp\SalesAndTales\SalesAndTales\TalesAndSales.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SYSTEM32\SCHTASKS.exe
  "SCHTASKS.exe" /create /tn "$77TalesAndSales.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\SalesAndTales\SalesAndTales\TalesAndSales.exe'" /sc onlogon /rl HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4948

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-0-0x00007FF70F610000-0x00007FF71014E000-memory.dmp

Filesize
11.2MB

Download
memory/2420-1-0x00007FFFA2BA4000-0x00007FFFA2BA5000-memory.dmp

Filesize
4KB

Download
memory/2420-3-0x00007FFFA2B40000-0x00007FFFA2E09000-memory.dmp

Filesize
2.8MB

Download
memory/2420-2-0x00007FFFA2B40000-0x00007FFFA2E09000-memory.dmp

Filesize
2.8MB

Download
memory/2420-5-0x00007FFFA2B40000-0x00007FFFA2E09000-memory.dmp

Filesize
2.8MB

Download
memory/2420-4-0x00007FFFA2B40000-0x00007FFFA2E09000-memory.dmp

Filesize
2.8MB

Download
memory/2420-6-0x00007FFFA2B40000-0x00007FFFA2E09000-memory.dmp

Filesize
2.8MB

Download
memory/2420-8-0x00007FFFA2B40000-0x00007FFFA2E09000-memory.dmp

Filesize
2.8MB

Download
memory/2420-9-0x00007FF70F610000-0x00007FF71014E000-memory.dmp

Filesize
11.2MB

Download
memory/2420-10-0x00007FF70F610000-0x00007FF71014E000-memory.dmp

Filesize
11.2MB

Download
memory/2420-11-0x00000208A21E0000-0x00000208A23A2000-memory.dmp

Filesize
1.8MB

Download
memory/2420-12-0x00007FFFA2B40000-0x00007FFFA2E09000-memory.dmp

Filesize
2.8MB

Download
memory/2420-13-0x00000208A2A20000-0x00000208A2F48000-memory.dmp

Filesize
5.2MB

Download
memory/2420-14-0x00007FF70F610000-0x00007FF71014E000-memory.dmp

Filesize
11.2MB

Download
memory/2420-15-0x00007FFFA2B40000-0x00007FFFA2E09000-memory.dmp

Filesize
2.8MB

Download
memory/2420-17-0x00007FFFA2BA4000-0x00007FFFA2BA5000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads