discordrat | 4c411c00b0aba3f592a7528c2b2fd66198b0a70ae32a253a7d6d490d68e7f6ac | Triage

Sharing

General

Target

Services.exe
Size

163KB
Sample

240727-yhgakaybra
MD5

c9ecd9d8da218f635e1e3eb17b36c5ee
SHA1

6b14cf165fed4c9162a4eafa318b4fb0c36179ae
SHA256

4c411c00b0aba3f592a7528c2b2fd66198b0a70ae32a253a7d6d490d68e7f6ac
SHA512

3d08906cb93b6fde2ba00b857caba32d5dd6d787fbc9356a310b8bc8688620a0c7f2a39114dbd705f736d5721f6ca613d859ccc3b752f780398146801777be5e
SSDEEP

3072:Ie36qVTppS1GzxfExMNtuHBZYyHm836yDlWH7wUoh4V5RuEm9:I+NVTpUkzpEYtuA8qClWUGD

Score

10^/10

discordrat xworm execution persistence rat rootkit stealer trojan

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MzQwMTQ3NzkxNDA5OTc0Mg.GWaL1X.yE8UNSG-cUTQGBUsIKtYnV7nQvqnPmErG-61w8
server_id
1265998097473994865

Extracted

Family

xworm

C2

serveo.net:8545

Attributes

Install_directory
%AppData%
install_file
svbhost.exe

Targets

- Target
  
  Services.exe
- Size
  
  163KB
- MD5
  
  c9ecd9d8da218f635e1e3eb17b36c5ee
- SHA1
  
  6b14cf165fed4c9162a4eafa318b4fb0c36179ae
- SHA256
  
  4c411c00b0aba3f592a7528c2b2fd66198b0a70ae32a253a7d6d490d68e7f6ac
- SHA512
  
  3d08906cb93b6fde2ba00b857caba32d5dd6d787fbc9356a310b8bc8688620a0c7f2a39114dbd705f736d5721f6ca613d859ccc3b752f780398146801777be5e
- SSDEEP
  
  3072:Ie36qVTppS1GzxfExMNtuHBZYyHm836yDlWH7wUoh4V5RuEm9:I+NVTpUkzpEYtuA8qClWUGD
Score

10^/10

discordrat xworm execution persistence rat rootkit stealer trojan
- Detect Xworm Payload
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discordratxwormexecutionpersistenceratrootkitstealertrojan

behavioral2

discordratxwormexecutionpersistenceratrootkitstealertrojan