discordrat | f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4

General

Target

f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Size

476KB
MD5

23c3f2c8794f05b832c82f72258ba38a
SHA1

6d26d5bbe68f6908f5f43aa448238fd135d7bd93
SHA256

f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4
SHA512

87236ab4eeb9dfcabb28fce2708d02ef13550dccf488348907ee8764e47bf527cb8fb825bcf5152db25b621a53be6ef48d9ea11702e53c5bc32e5369edf2aafa
SSDEEP

12288:xCQjgAtAHM+vetZxF5EWry8AJGy0ObZh2IJBx:x5ZWs+OZVEWry8AF5b24

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5NjYzNjQ4OTQ0NjE5OTQwOA.GEhciD.QzYUmAgRRkM4btANs6IF2LW4kGU-L42O5YO-Cs
server_id
1296636393107488851

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2452	samp23.exe

Loads dropped DLL 6 IoCs

pid	Process
3016	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
2316	WerFault.exe
2316	WerFault.exe
2316	WerFault.exe
2316	WerFault.exe
2316	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.cs	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.cs\ = "cs_auto_file"	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file\shell	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file\shell\Read\command	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file\	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\cs_auto_file\shell\Read	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2780	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2780	AcroRd32.exe
2780	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2780	3016	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe	30
PID 3016 wrote to memory of 2780	3016	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe	30
PID 3016 wrote to memory of 2780	3016	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe	30
PID 3016 wrote to memory of 2780	3016	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe	30
PID 3016 wrote to memory of 2452	3016	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe	31
PID 3016 wrote to memory of 2452	3016	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe	31
PID 3016 wrote to memory of 2452	3016	f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe	31
PID 2452 wrote to memory of 2316	2452	samp23.exe	32
PID 2452 wrote to memory of 2316	2452	samp23.exe	32
PID 2452 wrote to memory of 2316	2452	samp23.exe	32

C:\Users\Admin\AppData\Local\Temp\f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe
"C:\Users\Admin\AppData\Local\Temp\f58c9b8767ce04b32e3cbe7268c80921dafcbf8c8e5bf9d81a4b3eafc0647cb4.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\noradio.cs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\samp23.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\samp23.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2452 -s 600
    3⤵
    - Loads dropped DLL
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\noradio.cs

Filesize
17KB

MD5
2e3e0c90408b4f53deda5e7e2e975224

SHA1
8f2da25b994e7daadf488d2d81c252de1a7d9418

SHA256
f7107f81e1e8815570578fc9b75e6fa75337586288da0126fcc3fa2b8db5acae

SHA512
264f8a8a5a369e313f08aae71ca7a22d6472806efbc7a865dd7d650c2d67fd309dc1870eea3c68a6a730bb42a038b5c3d4ec2fc6f97f20e8e97353b2610fde85

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6bca49bcef06a88fd646fadd414b2855

SHA1
5789c53c45a6aae663d99cfb2c54f19f14a498f8

SHA256
355215120cabd23f7039fd60f6405c22b458074e95481f6f6db03b9ea7f18e14

SHA512
6c7049e10cff537a26a3896801b5364915ebf457c83f4757b0bd09d43c65503b88752e823f7ff6ba9479ddc1328500c03a11a868ce42f4f117995699a9409db3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\samp23.exe

Filesize
78KB

MD5
8d5085a3b59652009f453ed350c90315

SHA1
d9faa65484d652e7a4ad41bc8f8208c0a0fb1343

SHA256
fd75a4cb2497043b93f9027cc2116954fbb83865bdb040417da2a651ea88c425

SHA512
ed2df9143d0a15a484e2b6ffa3257d9e17151fede7eb37140a096c28b33b4062d94afa0daf4d926d7bf5b0cfc0d0d72187c60033b7bcb861d93d3e4d3fa6cd3b

Download Submit
memory/2452-10-0x000000013F910000-0x000000013F928000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing