discordrat | 4c411c00b0aba3f592a7528c2b2fd66198b0a70ae32a253a7d6d490d68e7f6ac

General

Target

Services.exe
Size

163KB
MD5

c9ecd9d8da218f635e1e3eb17b36c5ee
SHA1

6b14cf165fed4c9162a4eafa318b4fb0c36179ae
SHA256

4c411c00b0aba3f592a7528c2b2fd66198b0a70ae32a253a7d6d490d68e7f6ac
SHA512

3d08906cb93b6fde2ba00b857caba32d5dd6d787fbc9356a310b8bc8688620a0c7f2a39114dbd705f736d5721f6ca613d859ccc3b752f780398146801777be5e
SSDEEP

3072:Ie36qVTppS1GzxfExMNtuHBZYyHm836yDlWH7wUoh4V5RuEm9:I+NVTpUkzpEYtuA8qClWUGD

Score

10^/10

discordrat xworm execution persistence rat rootkit stealer trojan

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MzQwMTQ3NzkxNDA5OTc0Mg.GWaL1X.yE8UNSG-cUTQGBUsIKtYnV7nQvqnPmErG-61w8
server_id
1265998097473994865

Extracted

Family

xworm

C2

serveo.net:8545

Attributes

Install_directory
%AppData%
install_file
svbhost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023444-17.dat	family_xworm
behavioral2/memory/756-26-0x0000000000AD0000-0x0000000000AEA000-memory.dmp	family_xworm

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3772	powershell.exe
932	powershell.exe
2140	powershell.exe
208	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	Services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	svbhost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svbhost.lnk	svbhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svbhost.lnk	svbhost.exe

Executes dropped EXE 11 IoCs

pid	Process
912	LocalSystem.exe
756	svbhost.exe
3676	svbhost.exe
4148	svbhost.exe
4804	svbhost.exe
1240	svbhost.exe
1212	svbhost.exe
4864	svbhost.exe
3768	svbhost.exe
2056	svbhost.exe
5048	svbhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svbhost = "C:\\Users\\Admin\\AppData\\Roaming\\svbhost.exe"	svbhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	discord.com
13	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3772	powershell.exe
3772	powershell.exe
932	powershell.exe
932	powershell.exe
2140	powershell.exe
2140	powershell.exe
208	powershell.exe
208	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	svbhost.exe
Token: SeDebugPrivilege	912	LocalSystem.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	756	svbhost.exe
Token: SeDebugPrivilege	3676	svbhost.exe
Token: SeDebugPrivilege	4148	svbhost.exe
Token: SeDebugPrivilege	4804	svbhost.exe
Token: SeDebugPrivilege	1240	svbhost.exe
Token: SeDebugPrivilege	1212	svbhost.exe
Token: SeDebugPrivilege	4864	svbhost.exe
Token: SeDebugPrivilege	3768	svbhost.exe
Token: SeDebugPrivilege	2056	svbhost.exe
Token: SeDebugPrivilege	5048	svbhost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 912	4724	Services.exe	85
PID 4724 wrote to memory of 912	4724	Services.exe	85
PID 4724 wrote to memory of 756	4724	Services.exe	86
PID 4724 wrote to memory of 756	4724	Services.exe	86
PID 756 wrote to memory of 3772	756	svbhost.exe	90
PID 756 wrote to memory of 3772	756	svbhost.exe	90
PID 756 wrote to memory of 932	756	svbhost.exe	92
PID 756 wrote to memory of 932	756	svbhost.exe	92
PID 756 wrote to memory of 2140	756	svbhost.exe	94
PID 756 wrote to memory of 2140	756	svbhost.exe	94
PID 756 wrote to memory of 208	756	svbhost.exe	96
PID 756 wrote to memory of 208	756	svbhost.exe	96
PID 756 wrote to memory of 4372	756	svbhost.exe	98
PID 756 wrote to memory of 4372	756	svbhost.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Services.exe
"C:\Users\Admin\AppData\Local\Temp\Services.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Roaming\LocalSystem.exe
  "C:\Users\Admin\AppData\Roaming\LocalSystem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Users\Admin\AppData\Roaming\svbhost.exe
  "C:\Users\Admin\AppData\Roaming\svbhost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svbhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svbhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svbhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svbhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svbhost" /tr "C:\Users\Admin\AppData\Roaming\svbhost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4372

C:\Users\Admin\AppData\Roaming\svbhost.exe
C:\Users\Admin\AppData\Roaming\svbhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Users\Admin\AppData\Roaming\svbhost.exe
C:\Users\Admin\AppData\Roaming\svbhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Users\Admin\AppData\Roaming\svbhost.exe
C:\Users\Admin\AppData\Roaming\svbhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Users\Admin\AppData\Roaming\svbhost.exe
C:\Users\Admin\AppData\Roaming\svbhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Users\Admin\AppData\Roaming\svbhost.exe
C:\Users\Admin\AppData\Roaming\svbhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Users\Admin\AppData\Roaming\svbhost.exe
C:\Users\Admin\AppData\Roaming\svbhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Users\Admin\AppData\Roaming\svbhost.exe
C:\Users\Admin\AppData\Roaming\svbhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Users\Admin\AppData\Roaming\svbhost.exe
C:\Users\Admin\AppData\Roaming\svbhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Users\Admin\AppData\Roaming\svbhost.exe
C:\Users\Admin\AppData\Roaming\svbhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svbhost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
120c6c9af4de2accfcff2ed8c3aab1af

SHA1
504f64ae4ac9c4fe308a6a50be24fe464f3dad95

SHA256
461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222

SHA512
041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7e6fb773ca334f5d3ec171e50780b590

SHA1
8c6b533415de54e4b71282f94a3ac40bdb0ce166

SHA256
997512026c7564ea7cea6451277db3b8e70699faae8e6b06a022448f80e8cd0f

SHA512
7e1340bd1ad2574ca34d4f0d92a80d93b31b9e70146911490188c36b4a3b2d7305f05e059fa7571b0b9fb5ed6ec5d98f4ab9532454048ec3fec387654977cc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5u25r4vo.qhx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\LocalSystem.exe

Filesize
78KB

MD5
b6765909918ec4af8352f71968a00b18

SHA1
2f522c3d40a8b1c92acc6ec7925a899edc033ec3

SHA256
2fe459a85bdb8417d41200d611c4e85c838dd8215495d21815da2c8d53bf30a4

SHA512
487133b0e085d3d43b4fdda17ebd4a7a58ebf4dd3c4eb0a90b6e0d274cfc6d50357b9a865727c9d68bae9eb27212a87ffa87a3834b76b6594eb558fc720501f4

Download Submit
C:\Users\Admin\AppData\Roaming\svbhost.exe

Filesize
75KB

MD5
7b9e7b25acb76ccdd31184a35521ca30

SHA1
4e4201a3de53645e8c2a5d563a9745a48e08e662

SHA256
4ac2e41ebb4502f4196cf5fe03a3c0189f438dbc9088c665078895853831a709

SHA512
26c05d17e2b604dbcc438d9ce013aec330707c7fa55f1b7ac545991d43dec8d28efe43b5332703b36e2750b9e52075cf8577af2c09aec89511f643a880486361

Download Submit
memory/756-26-0x0000000000AD0000-0x0000000000AEA000-memory.dmp

Filesize
104KB

Download
memory/756-29-0x00007FFAA4880000-0x00007FFAA5341000-memory.dmp

Filesize
10.8MB

Download
memory/756-31-0x00007FFAA4880000-0x00007FFAA5341000-memory.dmp

Filesize
10.8MB

Download
memory/756-83-0x00007FFAA4880000-0x00007FFAA5341000-memory.dmp

Filesize
10.8MB

Download
memory/756-81-0x00007FFAA4880000-0x00007FFAA5341000-memory.dmp

Filesize
10.8MB

Download
memory/912-80-0x00007FFAA4880000-0x00007FFAA5341000-memory.dmp

Filesize
10.8MB

Download
memory/912-28-0x00007FFAA4880000-0x00007FFAA5341000-memory.dmp

Filesize
10.8MB

Download
memory/912-27-0x0000028A55AE0000-0x0000028A55CA2000-memory.dmp

Filesize
1.8MB

Download
memory/912-24-0x0000028A3B540000-0x0000028A3B558000-memory.dmp

Filesize
96KB

Download
memory/912-30-0x00007FFAA4880000-0x00007FFAA5341000-memory.dmp

Filesize
10.8MB

Download
memory/912-82-0x00007FFAA4880000-0x00007FFAA5341000-memory.dmp

Filesize
10.8MB

Download
memory/912-32-0x0000028A563C0000-0x0000028A568E8000-memory.dmp

Filesize
5.2MB

Download
memory/3772-33-0x000001DD62E20000-0x000001DD62E42000-memory.dmp

Filesize
136KB

Download
memory/4724-0-0x00007FFAA4883000-0x00007FFAA4885000-memory.dmp

Filesize
8KB

Download
memory/4724-1-0x00000000008D0000-0x0000000000900000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads