discordrat | a6fb6e92dd59821ace2d2d656fcef7d2626549d08d7a9e52128c26ecb0540fce

Resubmissions

04-10-2024 13:00

241004-p8pvysvfrr 10

01-10-2024 02:20

241001-cswx4swcqk 10

Analysis

max time kernel
134s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MONSTERspoofer.exe
Size

1.2MB
MD5

c3a422c8bfcfeb9652be8a313f5282a1
SHA1

67a4ed15aef79cad2fc20a89712bb21c241c7b56
SHA256

a6fb6e92dd59821ace2d2d656fcef7d2626549d08d7a9e52128c26ecb0540fce
SHA512

61a2d5ba690a2641bca6e62726096a38f5d32b7403d7afa0a9d213208eaf3b0c51328f5c34452894db388eafebc80ae3c7ac4ba82e55553db29388c9b8c596d6
SSDEEP

24576:iuDXTIGaPhEYzUzA0qQlsYB/CONxCOZRUvXUaUfWd2ucScKDxP+Ua8:lDjlabwz9DVBKONtRUv85yx73

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MDQwNTk0MjMwNjc5OTY0OA.GPNnkH.G8_UXZHPr4SDr15gYrkcD-QvN2Vo_UWuinxjDQ
server_id
1290406547163316309

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2768	backdoor.exe

Loads dropped DLL 6 IoCs

pid	Process
2980	MONSTERspoofer.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2768	2980	MONSTERspoofer.exe	31
PID 2980 wrote to memory of 2768	2980	MONSTERspoofer.exe	31
PID 2980 wrote to memory of 2768	2980	MONSTERspoofer.exe	31
PID 2768 wrote to memory of 2564	2768	backdoor.exe	32
PID 2768 wrote to memory of 2564	2768	backdoor.exe	32
PID 2768 wrote to memory of 2564	2768	backdoor.exe	32

C:\Users\Admin\AppData\Local\Temp\MONSTERspoofer.exe
"C:\Users\Admin\AppData\Local\Temp\MONSTERspoofer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2768 -s 600
    3⤵
    - Loads dropped DLL
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
78KB

MD5
91f7ba30e21ff940fdbd4cb6710877fb

SHA1
295eba51d268bd17a2a69417a82d0b8e553b8bd5

SHA256
16034a6012684b81bc3eb6b5c39338eeee1a93c49274e63d0e725be617ee5a68

SHA512
1a1cdcc8ba13983cc86619133aaf162d90e9d5fca3ed4f949c364a2e4a4564a4c9cf9bd1e84305ef92248c99cc8fce92841667f82cdd6a8ad0d20087b847aab4

Download Submit
memory/2768-11-0x000007FEF4D63000-0x000007FEF4D64000-memory.dmp

Filesize
4KB

Download
memory/2768-12-0x000000013F330000-0x000000013F348000-memory.dmp

Filesize
96KB

Download
memory/2768-17-0x000007FEF4D60000-0x000007FEF574C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-19-0x000007FEF4D63000-0x000007FEF4D64000-memory.dmp

Filesize
4KB

Download
memory/2768-20-0x000007FEF4D60000-0x000007FEF574C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-21-0x000007FEF4D60000-0x000007FEF574C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-4-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download