discordrat | 09f62ca9ce707a10e1cc29c4e857ae8e38defa05d0f8cc0cad4f84022d6c5b4b

Analysis

max time kernel
94s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anton‮gpj.exe
Size

452KB
MD5

bad8e03a0e1cfe746fb77f73ec5042ae
SHA1

4f3bc64ed1e39a3c7e9215a4bd35072052e2a831
SHA256

09f62ca9ce707a10e1cc29c4e857ae8e38defa05d0f8cc0cad4f84022d6c5b4b
SHA512

162e101e05314cb67e855f15fbc4650f909e5df0da8dd13cdb2c1c4d0f7aa1200e705d35fd6f9ab3fb3c7d361994835bdb6cf16f1e3415ccceffe87ca2641ba2
SSDEEP

6144:2E9yzJpeQF2ZcbTzHznY8XHyldgaPGr++7+EK/zJDi3RC4AQNMIoYrmLU8YchJtd:PyveQB/fTHIGaPkKEYzURNAwbAg8YchB

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MjQ3NTk0MjgzMjM3Mzc4MA.Gm3A78.SvvnKqIpnEdUSKBmPvoekRlb-Nq9n0i0njcYUY
server_id
1262476292713087037

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	anton‮gpj.exe

Executes dropped EXE 1 IoCs

pid	Process
3728	client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
22	discord.com
27	discord.com
29	discord.com
30	discord.com
21	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	client-built.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 3728	1444	anton‮gpj.exe	87
PID 1444 wrote to memory of 3728	1444	anton‮gpj.exe	87

C:\Users\Admin\AppData\Local\Temp\anton‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\anton‮gpj.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
aaa6d8518ecd261b612b93ca39eba34c

SHA1
0ce021ca4d0586c5279cea4c1e10452d3d45038c

SHA256
b2fcabcfa258a6fc509dba4787305e5b995e81f9180297490be1d5196aeb7756

SHA512
2bf2df7055e67bed39f378601fd4de5bf6af2fe4711e3962ecc6f17348e27dcf6152d02b1253bdb89918586aa09e781cd6aadfc66dc3b9a68dc4603bdb986add

Download Submit
memory/3728-16-0x000001B0C7F10000-0x000001B0C7F28000-memory.dmp

Filesize
96KB

Download
memory/3728-18-0x000001B0E2580000-0x000001B0E2742000-memory.dmp

Filesize
1.8MB

Download
memory/3728-17-0x00007FFAAD900000-0x00007FFAADBC9000-memory.dmp

Filesize
2.8MB

Download
memory/3728-19-0x00007FFAAD900000-0x00007FFAADBC9000-memory.dmp

Filesize
2.8MB

Download
memory/3728-20-0x000001B0E2D80000-0x000001B0E32A8000-memory.dmp

Filesize
5.2MB

Download
memory/3728-21-0x00007FFAAD900000-0x00007FFAADBC9000-memory.dmp

Filesize
2.8MB

Download