discordrat | 14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27

General

Target

14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exe
Size

761KB
MD5

71f5e9237f4f6d09e58095147d2bfeb8
SHA1

82059dd096fd1626fdd3dcd154e7cf3c0afffb52
SHA256

14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27
SHA512

03bda8b5316460c1c273719935968cd57a20a25ba7b80767da16210625fba656451bfc35c58908af5b48c7abbb49a97315a5e64c17b69002d34a0ef3f58c93a3
SSDEEP

12288:fzxzTDWikLSb4NS7H+7HX/OQvz/ZTKCbgA0IyuXX:dDWHSb4Nn7POsz/ZT5gFIycX

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwNDYyNDM2OTY0OTg1MjUxOA.Gyboi1.3R0hC9ZYxTw5CzGRoFtSRbIV3eEcPNOM7wQf0E
server_id
1204622844772753458

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

Processes:

screenshot.exe

pid	Process
2552	screenshot.exe

Loads dropped DLL 6 IoCs

Processes:

14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exeWerFault.exe

pid	Process
2672	14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DllHost.exe14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid	Process
2656	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DllHost.exe

pid	Process
2656	DllHost.exe
2656	DllHost.exe
2656	DllHost.exe
2656	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exescreenshot.exe

description	pid	Process	procid_target
PID 2672 wrote to memory of 2552	2672	14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exe	32
PID 2672 wrote to memory of 2552	2672	14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exe	32
PID 2672 wrote to memory of 2552	2672	14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exe	32
PID 2672 wrote to memory of 2552	2672	14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exe	32
PID 2552 wrote to memory of 2532	2552	screenshot.exe	33
PID 2552 wrote to memory of 2532	2552	screenshot.exe	33
PID 2552 wrote to memory of 2532	2552	screenshot.exe	33

C:\Users\Admin\AppData\Local\Temp\14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exe
"C:\Users\Admin\AppData\Local\Temp\14ab1780c89dd769a95c964cc6bf152514034a2ffc55a4305ff5e71719b75c27.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\screenshot.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\screenshot.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2552 -s 596
    3⤵
    - Loads dropped DLL
    PID:2532

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\eggos.jpg

Filesize
239KB

MD5
ba4a7fdf6765ee3b5db416cf299b6232

SHA1
73554c9408e5a05aa2304e9bf6ea3019cb6515d4

SHA256
87552dfcdf29e0348ff57b6d5b6680916c04350f804a7d46fcb37f352164d7e8

SHA512
fadd8a61b9df4049df1b680906607deda07a3e59ddbb4aa4cc8b31ef8b6898ab3ee1da0a7ec224be8f4d0c012ae8abf0b3ca99a82d05fc30640e43a13f224b91

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\screenshot.exe

Filesize
283KB

MD5
61a83f0d9735ef5c3e791b6276f2af88

SHA1
1ad8a991831c6e54cd3c0559a260cdb8a00080e9

SHA256
63beccc8ba651113097146ad326e516d30e117bbd41162c304ed0165f239091c

SHA512
e17565ff6c0ddb1f697d02b51e4cab19956a933ddf8ee458ced8a0f083ae16cb3b520c35a29daf81ac8817b624f95a652009011921806a52bf503370e704500f

Download Submit
memory/2552-13-0x000000013FC10000-0x000000013FC5A000-memory.dmp

Filesize
296KB

Download
memory/2656-5-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/2656-6-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2656-20-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2672-4-0x0000000000E30000-0x0000000000E32000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads