Malware Analysis Report

2024-11-16 13:03

Sample ID 240910-3d24pazflp
Target release.zip
SHA256 c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
Tags
discordrat persistence rat rootkit stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

Threat Level: Known bad

The file release.zip was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer discovery

Discord RAT

Discordrat family

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 23:24

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-10 23:24

Reported

2024-09-10 23:27

Platform

win10-20240404-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 23:24

Reported

2024-09-10 23:27

Platform

win10-20240404-en

Max time kernel

107s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe

"C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp

Files

memory/4472-0-0x00007FFC74E63000-0x00007FFC74E64000-memory.dmp

memory/4472-1-0x000001FD7DC30000-0x000001FD7DC48000-memory.dmp

memory/4472-2-0x000001FD18A90000-0x000001FD18C52000-memory.dmp

memory/4472-3-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

memory/4472-4-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

memory/4472-5-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmp

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt

MD5 fe01bf0f4915989b05a0ec8202468dd6
SHA1 2200b920702b62c77e7b85fe7140e7783f12f61f
SHA256 c25c9c5f679c128d00d8f30fd980a8210ebf85a0ed793d4c0b27075afa937e91
SHA512 a85d49ee1346408ab0dc7bfd04661dfd10db800106197963e391dd79b9087e5aa2116b3754a79e5516e5c079b3241e768f320b9ed910e6b95aa76f112c9ad740

C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log

MD5 c4f61c6c6b3a1e3a7c49e60879dfd7db
SHA1 c2ad0ff8ba65e0687a44fc3bdfdd8acb7b706aff
SHA256 cddb55cbd4e020265289d22de8178ca2c6e255b6de3245a69462860d638574db
SHA512 0ffbd3a9606671368c6e299f51427d7aa1aca832c077481991d9cf128f2fd7912a683edbba594e842703d8c1e1d8b713c63957062ab0960623326272da63a451

C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log

MD5 726c7eb21f1ab8c673155b0dd2dbf430
SHA1 05cccc3cd6e6dad0c39047f133cb74897ccfced2
SHA256 a1537d8eb5380375836c3da7c3c3cb1b258c64bf45d2eed4b60be7b9902ecd7f
SHA512 063f9eeb7b0da6ffb92fd85ee52791c241bb87ff9fcc3a8e518c2f2ef9fed2b11a28ce9121fbbc510a6aa7f4f9c0764ae45be40e59da5f90ebfe0c038240ba8c

C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log

MD5 2146832e7586e02d844e9c73363e6f26
SHA1 60ad831c9a2c57a5f9983594a5951f0d634bb0ad
SHA256 bb1dd0691f230be09d42caafbb0a26682a2b32cd484ee1f5f5b02afbbccf779c
SHA512 b6a2de026b0a5fbb011f158d6190bc4ed598a26b79f01ea0e449aff3de05aff369a9c403387572368f1cc768b7e5b02177cff903f2996d0de49a008e27c4969b

C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log

MD5 9c3de548d8241bbe9de108c3abde9e41
SHA1 9f5fced8af54b51dfa63fda3cc5890348dcd3e18
SHA256 ee6345de48b6828a76d15ce8e8bcfd3e9038dd10ebff9b2d09207abb05b2f876
SHA512 df4b42217ffe71e3e486609022c17ee16bd7bc1e26eb7fa3fde95aa1a78920fe0cbfd8751791836d7805b47cb6d675869c77d9e5e7eb5223d4e5e31d428a8740

C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log

MD5 571b18afce29f72f7495a865793ec59f
SHA1 12edc0ac72e0924b9971ddc0dbf3bf8c0f7cefe5
SHA256 e501d664c46545dcd8b8182fa902ad5b2ad24dbbaea757d73b7bbdeafe899dbc
SHA512 28b1365f7181f886c6ba6099ca1c2297189c143c9adc5fe0bee3afa16f0dcc191cf8fc54cfdc4b59a79f1fd908208b30ad9d1d753f0df7ed0924914e3c271dcf

C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log

MD5 852455b795c8fccc3982f5f50697bec2
SHA1 6e3bf2d624660e5982158d281c9d0d2503c1eeb5
SHA256 103300e9b370b4e6efbbdc86e102f6b1c4cf0674ccd5a47b1acb29d584e6c12b
SHA512 c54c9c106d98304c4f7475952776d6e54c1828c9141940276906c4fcab49a0e8b7a56cd240f5e63b6793e6678e0d715f617b4ca5dcdefa59560768fb08a63cdb

C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log

MD5 761e1a3225ae0904e4f81f0636345af4
SHA1 1d89a2cd0bbb681fde97c6c48d948dcf502ae01e
SHA256 bcb558b00f09d5c7fc5f236b3c65407a67893bf08e6017841c514ad55967d59c
SHA512 2dae9882c47070455cd91073625a73b0080b35a647c618b576c96bc6570089f2000cac9c7d1ec8f3c27dabc7a1afaab255a9e039701481ce2aee3d5b65ec4856

C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log

MD5 5dab99d548d20c94871e85606c6e8aca
SHA1 472f1b09921d5e0596d88a8dceec246a1dc067a3
SHA256 a5710d5dd5804d9aa0012f8317bec7803e4ecf2fe7dd111f05d65f1d170f0e64
SHA512 160261b7ee07ff35f2d4090b6146fd489975087224e413e7d84aa1fbbd50372b2647b16c849501b0ef5df01a81425d508b0123d38a34aca7398c3ab2772aaeaf

C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log

MD5 b392bd74c25d9d08a28d05eed590bd9d
SHA1 2973c73ef9c67e638066f31dd83f8466673ee574
SHA256 85ae96304021e570e09d49d9a48b8689c4c5150f01a463a74a6550430c6ec1fe
SHA512 fb45bb49cf265a5a7a5b07e026a62701fe5bb4cac394c9bab50c6002661e52306842546c6743fcb14a8e5915223a54671bc4995706a9059634c9d1cc5b29f5c6

C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log

MD5 77137cfb7777986a8a97bc5e8d98a214
SHA1 629e1c7a51965124134f122ccdaa67d3c8e489c7
SHA256 93563a7c7c1f732d8f698bc7caf070b404f047664c1e6d2ce45d1ba1afea2c1e
SHA512 d0942c455b0f4cd6effb3b4e6fc506ae4b545f452b6c2a3e64343f22a86a23b65059d1505c4827eb26111440e89f404b8dd0d2ba76f5329d4e97084214c55260

C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log

MD5 a1a9c38034418a0f640cb7973462bfba
SHA1 3f413a838ab38af76e39bc3a8469932bbb84c0c8
SHA256 3881f382428385862ec86b1b6b2b91277c59400de7b438ac4a79b7e2c01f26bc
SHA512 06384b3801df01b80cc10736705ba097cf1c8aa09166b6d339b0c793616a560a01dbf5ebe24e6833160e50a295e40e36b63de91ebc8ce018a4b3fdbd98c9c000

C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log

MD5 8d748b916f7edd3dd6b6aef91d3c6f6e
SHA1 3ec655c3c929ccbf97054b8ae69d5b5b0aab9500
SHA256 07d074df78ddb8a1ce37176dda33320c433c9b5c87b8a7a44ee4ce79fe2aa336
SHA512 8f6cf15334d440a1f2c9e891f3e322ec69bd6e3e200cfd14660c6e5b9ca985330e2422edb4c4626be2a1eb4b4029d9cde6b2852b91c659e83b935fca6cdd8990

C:\PerfLogs

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-10 23:24

Reported

2024-09-10 23:27

Platform

win10-20240404-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\builder.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\builder.exe

"C:\Users\Admin\AppData\Local\Temp\builder.exe"

Network

Files

memory/164-0-0x000000007321E000-0x000000007321F000-memory.dmp

memory/164-1-0x0000000000A90000-0x0000000000A98000-memory.dmp

memory/164-2-0x0000000005770000-0x0000000005C6E000-memory.dmp

memory/164-3-0x0000000005310000-0x00000000053A2000-memory.dmp

memory/164-4-0x0000000005300000-0x000000000530A000-memory.dmp

memory/164-5-0x0000000073210000-0x00000000738FE000-memory.dmp

memory/164-6-0x000000007321E000-0x000000007321F000-memory.dmp

memory/164-7-0x0000000073210000-0x00000000738FE000-memory.dmp

memory/164-8-0x00000000085F0000-0x0000000008712000-memory.dmp