discordrat | f2a004514d969a0fd51adc95623168d8ea37c7a7eae79f8418fd369c35a33134

Analysis

max time kernel
343s
max time network
358s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release.zip
Size

445KB
MD5

3d60e67d6e8740d413ee1574374609e1
SHA1

c65e926478a7fcae72d21f22ef3b9b16a61ca55c
SHA256

f2a004514d969a0fd51adc95623168d8ea37c7a7eae79f8418fd369c35a33134
SHA512

e43460aa06355e582c6b10fb1979d0b0d1ff96693912954f8b7fe03eb6839a3af03d1d467268bf76c20a8284b79f9c84590bdf542625e813d1a9cfac04aecde2
SSDEEP

12288:BfJ13+GoLo2d5ifXHE8134QwYOwFSFRiLQt:BKGo8EifSQwYWt

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4NDkyOTc4ODgxNzA1MTY5OQ.GwuZFh.iY1N7R4WhPj51m4l9SuMbdoAQpu7KV57AHpfaY
server_id
1286366896802758667

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
5072	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
26	discord.com
29	discord.com
31	discord.com
20	discord.com
23	discord.com
27	discord.com
28	discord.com
32	discord.com
19	discord.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
664	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	Client-built.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
664	NOTEPAD.EXE
4636	builder.exe
5072	Client-built.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\release.zip
1⤵
PID:4944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1996

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\release\token.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:664

C:\Users\Admin\Desktop\release\builder.exe
"C:\Users\Admin\Desktop\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4636

C:\Users\Admin\Desktop\release\Client-built.exe
"C:\Users\Admin\Desktop\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\release\Client-built.exe

Filesize
78KB

MD5
8bae102fb9fa9317afb3c0d4737bf0c4

SHA1
9c106d96cbf85cdca731cf9fd1aad6b00e0577cb

SHA256
3523428d1725887634a5f75f9acd95c5e133144103f30090560dcfbc25cd9da4

SHA512
1fabc8462adc6e2686141ebc7fdc631091ae3250711b288906332be86853acfbefd5bc15d2bc5f56b8b95840ccb8dc1a669a946d0537222012d8351899c3750a

Download Submit
memory/4636-0-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/4636-1-0x00000000052B0000-0x00000000057AE000-memory.dmp

Filesize
5.0MB

Download
memory/4636-2-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download
memory/4636-3-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/4636-4-0x0000000007E90000-0x0000000007FB2000-memory.dmp

Filesize
1.1MB

Download
memory/5072-9-0x0000022B927A0000-0x0000022B927B8000-memory.dmp

Filesize
96KB

Download
memory/5072-10-0x0000022BACD00000-0x0000022BACEC2000-memory.dmp

Filesize
1.8MB

Download
memory/5072-11-0x0000022BAD630000-0x0000022BADB56000-memory.dmp

Filesize
5.1MB

Download