discordrat | 2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35

General

Target

2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe
Size

5.5MB
MD5

d2059975e7e6214a8586d92f4683a4d0
SHA1

2ea95fcc0451687ba865791b012b222d5f0e4f84
SHA256

2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35
SHA512

6fdc53a04ac1d231ef5058fd8716d380b73502748c18050e7e2b09c868cb4414d6c01ecde76b139d9a65833361ad801b4b0140a918d9790d87ab545f71d6935e
SSDEEP

98304:VoQDmkhTTmnkN9+6cYwl91bpPuc7q+UGg4tyYdsZdXyv5:VUkhTSnkN9+63YPuR+SdS5

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MzI4OTY2MzUwMjQ4NzY2NA.GyUepa.Dzh8BeXxXLnd2vAlL5vg4HTInJZ7abxOXlOA6Y
server_id
1203358956873977896

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 2 IoCs

Processes:

CLIENT-BUILT.EXENINJA HEX C++.EXE

pid	Process
1508	CLIENT-BUILT.EXE
2104	NINJA HEX C++.EXE

Loads dropped DLL 7 IoCs

Processes:

2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exeWerFault.exe

pid	Process
2700	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe
2700	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exeCLIENT-BUILT.EXE

description	pid	Process	procid_target
PID 2700 wrote to memory of 1508	2700	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	30
PID 2700 wrote to memory of 1508	2700	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	30
PID 2700 wrote to memory of 1508	2700	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	30
PID 2700 wrote to memory of 1508	2700	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	30
PID 2700 wrote to memory of 2104	2700	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	31
PID 2700 wrote to memory of 2104	2700	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	31
PID 2700 wrote to memory of 2104	2700	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	31
PID 2700 wrote to memory of 2104	2700	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	31
PID 1508 wrote to memory of 1936	1508	CLIENT-BUILT.EXE	32
PID 1508 wrote to memory of 1936	1508	CLIENT-BUILT.EXE	32
PID 1508 wrote to memory of 1936	1508	CLIENT-BUILT.EXE	32

C:\Users\Admin\AppData\Local\Temp\2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe
"C:\Users\Admin\AppData\Local\Temp\2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1508 -s 596
    3⤵
    - Loads dropped DLL
    PID:1936
- C:\Users\Admin\AppData\Local\Temp\NINJA HEX C++.EXE
  "C:\Users\Admin\AppData\Local\Temp\NINJA HEX C++.EXE"
  2⤵
  - Executes dropped EXE
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NINJA HEX C++.EXE

Filesize
5.4MB

MD5
0cddb6bfe9242d630478c1103f9e23bc

SHA1
ca6854c406551e88ed995905c9b78f10860bb18c

SHA256
efff056b6dcd8269769531209928d8e51e5a9b6f11ecab4019747043d8c9c886

SHA512
94185b375dc71a7284e6419373a0d01e30e4071b0ddfae8c59aa4b0dd719b2a57ac5fb251eb419223413954819fee609572a42d9b8fb201469d5f4dbb2e75a7e

Download Submit
\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE

Filesize
78KB

MD5
ab2b7deb3a2bf36a87da282ab7de3928

SHA1
ce9cc0ea4477c24a81ae2d9a80eb2ad2de36120a

SHA256
322edbd361bf1ff43125c16cbedf4cb0044c54f00d0d88159d09f5a0b29c9a9c

SHA512
fc360fcd9883552eaec66f3b0c5276cb5d2d60544e5b5d4b7d9d8d99f1e1bfe36c7c5558afa7442519b1f97919e563c929f8e17c7fed0523ab8d158c06f196cb

Download Submit
memory/1508-11-0x000007FEF5873000-0x000007FEF5874000-memory.dmp

Filesize
4KB

Download
memory/1508-12-0x000000013F4D0000-0x000000013F4E8000-memory.dmp

Filesize
96KB

Download
memory/1508-17-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1508-19-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads