discordrat | 6e97a3afc6580f3ca0f17a61ee98350d3d3be791bd4c9c3428926e3f40e199be

General

Target

rostrap.exe
Size

3.8MB
MD5

3da3fa7ef74e6912844e3b7eea44c475
SHA1

b8078c6b01a37c6b3bce3bd93eb11b8d5b88d37e
SHA256

6e97a3afc6580f3ca0f17a61ee98350d3d3be791bd4c9c3428926e3f40e199be
SHA512

a64cc30dd4f1c44f630bd91ffa6426ddc9af94fc85d40c7c30ec1869748b828362be4efadb6e54fc21f739217d1d587c24d37225f72a0dc4ed09a4a296e99136
SSDEEP

98304:O3GM47lTHdcFcNQBUb4vzWsyQj0jvDeug4WGR/JvY3csQ:O3GTp9ZyS8asyQjaLeugYR/JicsQ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MTcwMjM0NDQ4ODUyMTgwOQ.GyJxES.iPPznz14IbFotKTZ3KViTwuS9T3PzEb13fnomo
server_id
1261715255004762132

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 4 IoCs

Processes:

rostrap_setup.exeBLOXST~2.EXEROSTRA~1.EXE

pid process

2644 rostrap_setup.exe
2700 BLOXST~2.EXE
1348
2808 ROSTRA~1.EXE
Loads dropped DLL 8 IoCs

Processes:

rostrap.exerostrap_setup.exeWerFault.exe

pid process

2116 rostrap.exe
2644 rostrap_setup.exe
2644 rostrap_setup.exe
2844 WerFault.exe
2844 WerFault.exe
2844 WerFault.exe
2844 WerFault.exe
2844 WerFault.exe

pid	process
2644	rostrap_setup.exe
2700	BLOXST~2.EXE
1348
2808	ROSTRA~1.EXE

pid	process
2116	rostrap.exe
2644	rostrap_setup.exe
2644	rostrap_setup.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rostrap_setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	rostrap_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

rostrap.exerostrap_setup.exeROSTRA~1.EXE

description	pid	process	target process
PID 2116 wrote to memory of 2644	2116	rostrap.exe	rostrap_setup.exe
PID 2116 wrote to memory of 2644	2116	rostrap.exe	rostrap_setup.exe
PID 2116 wrote to memory of 2644	2116	rostrap.exe	rostrap_setup.exe
PID 2644 wrote to memory of 2700	2644	rostrap_setup.exe	BLOXST~2.EXE
PID 2644 wrote to memory of 2700	2644	rostrap_setup.exe	BLOXST~2.EXE
PID 2644 wrote to memory of 2700	2644	rostrap_setup.exe	BLOXST~2.EXE
PID 2644 wrote to memory of 2808	2644	rostrap_setup.exe	ROSTRA~1.EXE
PID 2644 wrote to memory of 2808	2644	rostrap_setup.exe	ROSTRA~1.EXE
PID 2644 wrote to memory of 2808	2644	rostrap_setup.exe	ROSTRA~1.EXE
PID 2808 wrote to memory of 2844	2808	ROSTRA~1.EXE	WerFault.exe
PID 2808 wrote to memory of 2844	2808	ROSTRA~1.EXE	WerFault.exe
PID 2808 wrote to memory of 2844	2808	ROSTRA~1.EXE	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\rostrap.exe
"C:\Users\Admin\AppData\Local\Temp\rostrap.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rostrap_setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rostrap_setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BLOXST~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BLOXST~2.EXE
3⤵
- Executes dropped EXE
PID:2700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ROSTRA~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ROSTRA~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2808 -s 596
4⤵
- Loads dropped DLL
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\BLOXST~2.EXE

Filesize
10.1MB

MD5
2c752edef5b0aa0962a3e01c4c82a2fa

SHA1
9c3afd1c63f2b0dbdc2dc487709471222d2cb81e

SHA256
891846bf656253ca1cdd28584a28681e9604e2a03d74cd6b99313e3bff11daf8

SHA512
04d25fe7d40c8c320ffc545a038ad6ea458df6a8a552b0e0393b369a03b9bf273c72f30169bd54e8eb10757c04bdddf3859c601c1eb9e1a12fe4d15658906dfe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ROSTRA~1.EXE

Filesize
78KB

MD5
c806f00fa32f343f9849c77003bb4cc1

SHA1
4a80c5b110f93d9dbcc85885bbf231de5ac8ace6

SHA256
9ddd3757585f55bea693a536e7ec6c4de0fd46f7df565f9cf6d10e339af2e845

SHA512
bac500e08913263bcabab7622eb7d00443d3d426cee9000edcd7b6089cf6e42be2a6b8f93fa60ef703b5400016febf8fb4c922ff17f2c80024a39450440deeb4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rostrap_setup.EXE

Filesize
3.5MB

MD5
be5d8f72e1a5fdddf6f16de1c71e83a9

SHA1
df4c647b0be4ec82e14e6775bdd1418b24263e68

SHA256
18fc1de44a6e2886e845e94acf0df1c25e73276bfae587fedd8221b9544c89ef

SHA512
b7a1cef87df06a463f060f6e8d84ec7317a526580106e049b4d5b699116c155bc358efb926d2393c764a8dc5c5aa4ca78def8deee93e26bcc260709c9f020528

Download Submit
memory/2808-19-0x000007FEF6203000-0x000007FEF6204000-memory.dmp

Filesize
4KB

Download
memory/2808-20-0x000000013FBA0000-0x000000013FBB8000-memory.dmp

Filesize
96KB

Download
memory/2808-25-0x000007FEF6200000-0x000007FEF6BEC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-27-0x000007FEF6200000-0x000007FEF6BEC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads