discordrat | 6e97a3afc6580f3ca0f17a61ee98350d3d3be791bd4c9c3428926e3f40e199be

General

Target

rostrap.exe
Size

3.8MB
MD5

3da3fa7ef74e6912844e3b7eea44c475
SHA1

b8078c6b01a37c6b3bce3bd93eb11b8d5b88d37e
SHA256

6e97a3afc6580f3ca0f17a61ee98350d3d3be791bd4c9c3428926e3f40e199be
SHA512

a64cc30dd4f1c44f630bd91ffa6426ddc9af94fc85d40c7c30ec1869748b828362be4efadb6e54fc21f739217d1d587c24d37225f72a0dc4ed09a4a296e99136
SSDEEP

98304:O3GM47lTHdcFcNQBUb4vzWsyQj0jvDeug4WGR/JvY3csQ:O3GTp9ZyS8asyQjaLeugYR/JicsQ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MTcwMjM0NDQ4ODUyMTgwOQ.GyJxES.iPPznz14IbFotKTZ3KViTwuS9T3PzEb13fnomo
server_id
1261715255004762132

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 4 IoCs

pid	Process
2644	rostrap_setup.exe
2700	BLOXST~2.EXE
1348	Process not Found
2808	ROSTRA~1.EXE

Loads dropped DLL 8 IoCs

pid	Process
2116	rostrap.exe
2644	rostrap_setup.exe
2644	rostrap_setup.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	rostrap_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2644	2116	rostrap.exe	30
PID 2116 wrote to memory of 2644	2116	rostrap.exe	30
PID 2116 wrote to memory of 2644	2116	rostrap.exe	30
PID 2644 wrote to memory of 2700	2644	rostrap_setup.exe	31
PID 2644 wrote to memory of 2700	2644	rostrap_setup.exe	31
PID 2644 wrote to memory of 2700	2644	rostrap_setup.exe	31
PID 2644 wrote to memory of 2808	2644	rostrap_setup.exe	32
PID 2644 wrote to memory of 2808	2644	rostrap_setup.exe	32
PID 2644 wrote to memory of 2808	2644	rostrap_setup.exe	32
PID 2808 wrote to memory of 2844	2808	ROSTRA~1.EXE	33
PID 2808 wrote to memory of 2844	2808	ROSTRA~1.EXE	33
PID 2808 wrote to memory of 2844	2808	ROSTRA~1.EXE	33

C:\Users\Admin\AppData\Local\Temp\rostrap.exe
"C:\Users\Admin\AppData\Local\Temp\rostrap.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rostrap_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rostrap_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BLOXST~2.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BLOXST~2.EXE
    3⤵
    - Executes dropped EXE
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ROSTRA~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ROSTRA~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2808 -s 596
      4⤵
      Loads dropped DLL
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\BLOXST~2.EXE

Filesize
10.1MB

MD5
2c752edef5b0aa0962a3e01c4c82a2fa

SHA1
9c3afd1c63f2b0dbdc2dc487709471222d2cb81e

SHA256
891846bf656253ca1cdd28584a28681e9604e2a03d74cd6b99313e3bff11daf8

SHA512
04d25fe7d40c8c320ffc545a038ad6ea458df6a8a552b0e0393b369a03b9bf273c72f30169bd54e8eb10757c04bdddf3859c601c1eb9e1a12fe4d15658906dfe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ROSTRA~1.EXE

Filesize
78KB

MD5
c806f00fa32f343f9849c77003bb4cc1

SHA1
4a80c5b110f93d9dbcc85885bbf231de5ac8ace6

SHA256
9ddd3757585f55bea693a536e7ec6c4de0fd46f7df565f9cf6d10e339af2e845

SHA512
bac500e08913263bcabab7622eb7d00443d3d426cee9000edcd7b6089cf6e42be2a6b8f93fa60ef703b5400016febf8fb4c922ff17f2c80024a39450440deeb4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rostrap_setup.EXE

Filesize
3.5MB

MD5
be5d8f72e1a5fdddf6f16de1c71e83a9

SHA1
df4c647b0be4ec82e14e6775bdd1418b24263e68

SHA256
18fc1de44a6e2886e845e94acf0df1c25e73276bfae587fedd8221b9544c89ef

SHA512
b7a1cef87df06a463f060f6e8d84ec7317a526580106e049b4d5b699116c155bc358efb926d2393c764a8dc5c5aa4ca78def8deee93e26bcc260709c9f020528

Download Submit
memory/2808-19-0x000007FEF6203000-0x000007FEF6204000-memory.dmp

Filesize
4KB

Download
memory/2808-20-0x000000013FBA0000-0x000000013FBB8000-memory.dmp

Filesize
96KB

Download
memory/2808-25-0x000007FEF6200000-0x000007FEF6BEC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-27-0x000007FEF6200000-0x000007FEF6BEC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads