discordrat | 6e25aee49ea9d544165f5d627f53cf0c6983200b2ccb5fa4497d3f32ca99c9dd

General

Target

Install.exe
Size

954KB
MD5

0252126bad05a1ea6ebe3042b1d177c2
SHA1

9d98900389b76456817e149c779326a994538fae
SHA256

6e25aee49ea9d544165f5d627f53cf0c6983200b2ccb5fa4497d3f32ca99c9dd
SHA512

5fec36049fe76dc68ed5647142984512bbd394db2ba66dd326f6805e158e8814801bb5245cf9de46bc1cb916993813df811339ae3d3e7ed3f9f2bc98398446a5
SSDEEP

24576:YU+9XNrenyktDLdYNtcdvQNC9wHAP5c1gfDrhKh:e5OVeyffXhC

Score

10^/10

discordrat discovery execution persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4OTg4NTE3MDM5MTk3Mzg5OQ.GznnVF.S0i0w8LmWps4VGMVMSSCViuDT3yKu23LSJGZ-c
server_id
1289885435367002112

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5064	powershell.exe
3244	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Install1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Install2.exe

Executes dropped EXE 3 IoCs

pid	Process
1796	Install1.exe
2268	install.exe
3996	Install2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5064	powershell.exe
5064	powershell.exe
3244	powershell.exe
3244	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	2268	install.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3720	Install.exe
3720	Install.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3720	Install.exe
3720	Install.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1796	3720	Install.exe	82
PID 3720 wrote to memory of 1796	3720	Install.exe	82
PID 1796 wrote to memory of 1456	1796	Install1.exe	83
PID 1796 wrote to memory of 1456	1796	Install1.exe	83
PID 1456 wrote to memory of 5064	1456	cmd.exe	85
PID 1456 wrote to memory of 5064	1456	cmd.exe	85
PID 5064 wrote to memory of 3244	5064	powershell.exe	86
PID 5064 wrote to memory of 3244	5064	powershell.exe	86
PID 3720 wrote to memory of 2268	3720	Install.exe	87
PID 3720 wrote to memory of 2268	3720	Install.exe	87
PID 3720 wrote to memory of 3996	3720	Install.exe	88
PID 3720 wrote to memory of 3996	3720	Install.exe	88
PID 3996 wrote to memory of 1376	3996	Install2.exe	89
PID 3996 wrote to memory of 1376	3996	Install2.exe	89
PID 1376 wrote to memory of 2172	1376	cmd.exe	91
PID 1376 wrote to memory of 2172	1376	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Roaming\Microsoft\Install1.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Install1.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\900B.tmp\900C.tmp\900D.bat C:\Users\Admin\AppData\Roaming\Microsoft\Install1.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\appdata""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\appdata
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
- C:\Users\Admin\AppData\Roaming\Microsoft\install.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\install.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Users\Admin\AppData\Roaming\Microsoft\Install2.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Install2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\95A8.tmp\95A9.tmp\95AA.bat C:\Users\Admin\AppData\Roaming\Microsoft\Install2.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "WindowsSystem32" /tr C:\Users\Admin\AppData\Roaming\Microsoft\install.exe /sc onstart
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
feadc4e1a70c13480ef147aca0c47bc0

SHA1
d7a5084c93842a290b24dacec0cd3904c2266819

SHA256
5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

SHA512
c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\900B.tmp\900C.tmp\900D.bat

Filesize
172B

MD5
8a256c0fc1a0635b2b02efcbfb61c4f5

SHA1
031642509b162024186142705b1f8552d733c6e1

SHA256
6c2d5c39c697ef3fbeea92bd708680f9c2c3539405a66d7149627b1fb710cc36

SHA512
ac1566dfbe52db372cfecb35d7346937e33d028c366f3ec94f55ee38580c7f3a17350447b5b6c8a1bccfab0327901325ef9f0d8d29a2071715e66cc4db854403

Download Submit
C:\Users\Admin\AppData\Local\Temp\95A8.tmp\95A9.tmp\95AA.bat

Filesize
128B

MD5
dc8f854187f22ffa2fb1b7233fe05c78

SHA1
1ac680c09fb40f005fd6f2bc5320bdf910cbbe35

SHA256
47134ba4d814e10b64f123bd4e4bb6807e41f72a214c25e657f492db4f673cc1

SHA512
3b8348bad8d1ef8421bad057bb2542241f1af79d4eba12a6c26bfccf7fa7f438543859629c8c946bb88146fe7396350ad5b15c2493577a609086c536f1779d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ry2aoarb.x0u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Install1.exe

Filesize
119KB

MD5
4e363799831f973a254e3e9cfe102bbd

SHA1
6c78fa37bf90554a78c651837f12121d326478c1

SHA256
f544b2bcffd9ea359e84d54b405ea99dd5568cfd476095e20ba10fbf70a1c3cb

SHA512
66196dc49d3ddd27b585273a441fafaa583f2d146019ffc5480f12acd7116450185c744668fd7b3b0b301063a938cd8d9b5798417a716c3b58f96bf0a867b3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Install2.exe

Filesize
119KB

MD5
374eac988a97adaa4c63c241c532be72

SHA1
8acb363196482e366aac360f683c9c23e85b3b81

SHA256
6b13045a1f24ea7b11e569c9f9b1684ee8f86b130522839147dc0b52c727d12b

SHA512
6161548d45ea7aee5618434eb1199ee64a3323c04bb0e477cb824deb454123061714821b65bf5c9c2cce7a029ccb3e5b553298eef0874708f053f3676bfea0b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\install.exe

Filesize
78KB

MD5
62e531fc823331011e05a0e0139a8260

SHA1
159a6ac300d1e8fd8a86e1f51c4fa31fd515d29a

SHA256
e065ddbc2eb6c25079010487d32e517bbeb6caf00c8bfff2b6eee23cbccf1574

SHA512
0d45d3a6d4fd8bd5de0a7a740ab97a720a2e0fbcc153bdaa296596d438dfed70f803d21786c9e654c04718a2d1164ecf4594498086ff1f5beac9dfbb9ee47394

Download Submit
memory/2268-43-0x00000231741B0000-0x00000231741C8000-memory.dmp

Filesize
96KB

Download
memory/2268-44-0x0000023176970000-0x0000023176B32000-memory.dmp

Filesize
1.8MB

Download
memory/2268-50-0x0000023177070000-0x0000023177598000-memory.dmp

Filesize
5.2MB

Download
memory/5064-15-0x0000025F43DC0000-0x0000025F43DE2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads