discordrat | a0bcb2876aec1eb2173e2f49c3cc1548ce04f38a593ed04d24ff0e3045c0faf6

General

Target

Client-built.exe
Size

78KB
MD5

871ec39c515d1e6f6594696404868c50
SHA1

b93d20a7e926b1396be5ba887ae72cdc28cdc101
SHA256

37f79ef934775e7dbcd006be8c438435ffdd059ef4674cee8b988835f5ad2ae9
SHA512

bec7154db76b64ec6ef02164e6959664299ed54fa85d74d7a010d21f2e43e9bcf3b16f9c9fea4c8798325e5e0978d66803014e64342ffbac0cbc2745f7e399ea
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+M/PIC:5Zv5PDwbjNrmAE+MIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4MTE5OTI3Mzg3NDI5Njg2Mg.Go_Acr.HUIHPEQaWjoIWxj4Geox9QLBiEggb5zNfnhqSk
server_id
1276135122353131575

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3784	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	Client-built.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE
3784	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\StartConnect.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
359B

MD5
0634d72a9ac8bca360bac96972bcae07

SHA1
76cc2d5a20491fb9d0446421600659247838c258

SHA256
f655a088793468499edb1d2f7c416b3d78cf98ff96e539075498ddf004ddef5d

SHA512
203c3acd6029899059b97858c297feb25e763102c2a8d5cfa8fe3582a83b09e6424c6c7906bda6f99dd463e5a3709300edfa1066c79c2de3a27b9b2ccbc8ef84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
ed5d2c826ababe5fb0f946470b3b41a1

SHA1
e975d54f6f28a2f206cb36d6d45b271a3bbfef0c

SHA256
8d6150c02c75eb732a28ee801fb7cb9142f2e28833de35eb0f085b18d09d938d

SHA512
2e79d366fff9b5ce92e1effea2319801bed35359a878d589e3c7e57989b3503fbd0a12b76789659395150b795c2983423391826e8fd01e97ca8496bfa78937aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
14f544fef6e9f94d91183638cd8b5947

SHA1
cbe608398f4ab74f119e167edc6a3929858dd4f9

SHA256
7297cd3850d8d8bd4e08d370c491c16dd07c96ee0bc775ff4a3bdda4e6173206

SHA512
0e543a1d9ce724d17f887e1c60327b7f3f283650bbea9e7bcf32e1ab4c34a5f5b9def1310915bc8ba6fb7991822e3434c6359b3190e42e00bcac9fc845b1f2c7

Download Submit
memory/2552-0-0x00007FFA34AB3000-0x00007FFA34AB5000-memory.dmp

Filesize
8KB

Download
memory/2552-1-0x0000029191840000-0x0000029191858000-memory.dmp

Filesize
96KB

Download
memory/2552-2-0x00000291ABFD0000-0x00000291AC192000-memory.dmp

Filesize
1.8MB

Download
memory/2552-3-0x00007FFA34AB0000-0x00007FFA35572000-memory.dmp

Filesize
10.8MB

Download
memory/2552-4-0x00000291AD250000-0x00000291AD778000-memory.dmp

Filesize
5.2MB

Download
memory/2552-5-0x00007FFA34AB3000-0x00007FFA34AB5000-memory.dmp

Filesize
8KB

Download
memory/2552-6-0x00007FFA34AB0000-0x00007FFA35572000-memory.dmp

Filesize
10.8MB

Download
memory/3784-21-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-23-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-13-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-14-0x00007FFA15990000-0x00007FFA159A0000-memory.dmp

Filesize
64KB

Download
memory/3784-17-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-16-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-15-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-18-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-11-0x00007FFA15990000-0x00007FFA159A0000-memory.dmp

Filesize
64KB

Download
memory/3784-20-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-19-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-12-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-22-0x00007FFA130C0000-0x00007FFA130D0000-memory.dmp

Filesize
64KB

Download
memory/3784-9-0x00007FFA15990000-0x00007FFA159A0000-memory.dmp

Filesize
64KB

Download
memory/3784-24-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-28-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-30-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-29-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-27-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-26-0x00007FFA130C0000-0x00007FFA130D0000-memory.dmp

Filesize
64KB

Download
memory/3784-25-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-10-0x00007FFA559A3000-0x00007FFA559A4000-memory.dmp

Filesize
4KB

Download
memory/3784-45-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-46-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-47-0x00007FFA55900000-0x00007FFA55B09000-memory.dmp

Filesize
2.0MB

Download
memory/3784-8-0x00007FFA15990000-0x00007FFA159A0000-memory.dmp

Filesize
64KB

Download
memory/3784-7-0x00007FFA15990000-0x00007FFA159A0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads