discordrat | 1632d6243bbdace63217bad0951f5cf94eb1b3d11692f5a681f9476248015a8d

Analysis

max time kernel
140s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16-07-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YaliMod.exe
Size

503KB
MD5

410fa0138a1dbe162066d3c05f8b7ca3
SHA1

53101738d627e81f95c4c4cf81c6563a307f0226
SHA256

1632d6243bbdace63217bad0951f5cf94eb1b3d11692f5a681f9476248015a8d
SHA512

266bd556ffa3af20e11654cabb1f19d2e6ca0227afb87ef63d2dbe01389a7f3f80b847281229680dc7b44bfa31c691789bcf95ee5b73c31a7f6faadff37d8303
SSDEEP

6144:M9j76xnImFZ1MmF8QTU/urSi38VoXM0qVoXM0n57XGY7wPQRC5uAiIOWO+oYKBIf:0jOtvHMm5xf8VomVoDkYU4RPAKP8J3P

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MDk4NjU1ODQ4ODUxMDUyNQ.GhjU6O.gLCO4YDx_19-HQrbsTjHi1sZ2USHaMsZ0UaAr4
server_id
1260985342689939576

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
4236	YaliModlibDFC.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
14	discord.com
15	discord.com
4	discord.com
5	discord.com
8	discord.com
11	discord.com
12	discord.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\YaliMod\dssdf.bat	YaliMod.exe
File opened for modification	C:\Program Files (x86)\YaliMod	YaliMod.exe
File created	C:\Program Files (x86)\YaliMod\__tmp_rar_sfx_access_check_240611500	YaliMod.exe
File created	C:\Program Files (x86)\YaliMod\YaliModlibDFC.exe	YaliMod.exe
File opened for modification	C:\Program Files (x86)\YaliMod\YaliModlibDFC.exe	YaliMod.exe
File created	C:\Program Files (x86)\YaliMod\dssdf.bat	YaliMod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1424	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	YaliModlibDFC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4236	5036	YaliMod.exe	72
PID 5036 wrote to memory of 4236	5036	YaliMod.exe	72
PID 5036 wrote to memory of 796	5036	YaliMod.exe	74
PID 5036 wrote to memory of 796	5036	YaliMod.exe	74
PID 5036 wrote to memory of 796	5036	YaliMod.exe	74
PID 796 wrote to memory of 1424	796	cmd.exe	76
PID 796 wrote to memory of 1424	796	cmd.exe	76
PID 796 wrote to memory of 1424	796	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\YaliMod.exe
"C:\Users\Admin\AppData\Local\Temp\YaliMod.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Program Files (x86)\YaliMod\YaliModlibDFC.exe
  "C:\Program Files (x86)\YaliMod\YaliModlibDFC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\YaliMod\dssdf.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YaliMod\YaliModlibDFC.exe

Filesize
78KB

MD5
c4deffb9e57e61387adb0efb6cc983cc

SHA1
a91f213a57ce52ffa73ffad101aa320e8c66b239

SHA256
24c40e456615ffaa57d5166d8afdb3261c82108c0deac098e62de4c03d120aff

SHA512
3097553057c053dc55892ad26990f51738733ca91fabe3d57db0590491e5f1c34b7871cbbc729eb5a85e0f4e25bf4720b80770d5a6d2a10320ec2b0fe20b25e3

Download Submit
C:\Program Files (x86)\YaliMod\dssdf.bat

Filesize
1KB

MD5
d24aa29426c2cfa8ee6fc40eea509dfb

SHA1
a3192cedd051842f97d55e8ff9a7d456c2295b81

SHA256
91e2614a701394019c5e49fe6b38907839535b88b0f6f8c17bbc4c75b2e5e5a0

SHA512
b1b16efe69b80da5270fead6e50f08e4f0cf992b26efa9b33ffddc246d9a127413d89d418a5ef008ae178f90ff5362964cac5fe1a0b5fcb7c4ddbfd45f2a1c97

Download Submit
memory/4236-13-0x00007FFDC0CF3000-0x00007FFDC0CF4000-memory.dmp

Filesize
4KB

Download
memory/4236-12-0x0000016B79080000-0x0000016B79098000-memory.dmp

Filesize
96KB

Download
memory/4236-14-0x0000016B7B7A0000-0x0000016B7B962000-memory.dmp

Filesize
1.8MB

Download
memory/4236-16-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp

Filesize
9.9MB

Download
memory/4236-17-0x0000016B7BFA0000-0x0000016B7C4C6000-memory.dmp

Filesize
5.1MB

Download
memory/4236-18-0x00007FFDC0CF3000-0x00007FFDC0CF4000-memory.dmp

Filesize
4KB

Download
memory/4236-19-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp

Filesize
9.9MB

Download