discordrat | 2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe
Size

5.5MB
MD5

d2059975e7e6214a8586d92f4683a4d0
SHA1

2ea95fcc0451687ba865791b012b222d5f0e4f84
SHA256

2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35
SHA512

6fdc53a04ac1d231ef5058fd8716d380b73502748c18050e7e2b09c868cb4414d6c01ecde76b139d9a65833361ad801b4b0140a918d9790d87ab545f71d6935e
SSDEEP

98304:VoQDmkhTTmnkN9+6cYwl91bpPuc7q+UGg4tyYdsZdXyv5:VUkhTSnkN9+63YPuR+SdS5

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MzI4OTY2MzUwMjQ4NzY2NA.GyUepa.Dzh8BeXxXLnd2vAlL5vg4HTInJZ7abxOXlOA6Y
server_id
1203358956873977896

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe

Executes dropped EXE 2 IoCs

Processes:

CLIENT-BUILT.EXENINJA HEX C++.EXE

pid	Process
3276	CLIENT-BUILT.EXE
3136	NINJA HEX C++.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CLIENT-BUILT.EXE

description	pid	Process
Token: SeDebugPrivilege	3276	CLIENT-BUILT.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe

description	pid	Process	procid_target
PID 4540 wrote to memory of 3276	4540	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	84
PID 4540 wrote to memory of 3276	4540	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	84
PID 4540 wrote to memory of 3136	4540	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	85
PID 4540 wrote to memory of 3136	4540	2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe	85

C:\Users\Admin\AppData\Local\Temp\2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe
"C:\Users\Admin\AppData\Local\Temp\2c39458bab1183c727a97880d8bba6a8d234929c7b12c8d978271a738d8e2b35N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- C:\Users\Admin\AppData\Local\Temp\NINJA HEX C++.EXE
  "C:\Users\Admin\AppData\Local\Temp\NINJA HEX C++.EXE"
  2⤵
  - Executes dropped EXE
  PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE

Filesize
78KB

MD5
ab2b7deb3a2bf36a87da282ab7de3928

SHA1
ce9cc0ea4477c24a81ae2d9a80eb2ad2de36120a

SHA256
322edbd361bf1ff43125c16cbedf4cb0044c54f00d0d88159d09f5a0b29c9a9c

SHA512
fc360fcd9883552eaec66f3b0c5276cb5d2d60544e5b5d4b7d9d8d99f1e1bfe36c7c5558afa7442519b1f97919e563c929f8e17c7fed0523ab8d158c06f196cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\NINJA HEX C++.EXE

Filesize
5.4MB

MD5
0cddb6bfe9242d630478c1103f9e23bc

SHA1
ca6854c406551e88ed995905c9b78f10860bb18c

SHA256
efff056b6dcd8269769531209928d8e51e5a9b6f11ecab4019747043d8c9c886

SHA512
94185b375dc71a7284e6419373a0d01e30e4071b0ddfae8c59aa4b0dd719b2a57ac5fb251eb419223413954819fee609572a42d9b8fb201469d5f4dbb2e75a7e

Download Submit
memory/3276-17-0x0000026EF1960000-0x0000026EF1978000-memory.dmp

Filesize
96KB

Download
memory/3276-14-0x00007FFE64083000-0x00007FFE64085000-memory.dmp

Filesize
8KB

Download
memory/3276-18-0x0000026EF3FD0000-0x0000026EF4192000-memory.dmp

Filesize
1.8MB

Download
memory/3276-22-0x0000026EF4810000-0x0000026EF4D38000-memory.dmp

Filesize
5.2MB

Download
memory/3276-23-0x00007FFE64080000-0x00007FFE64B41000-memory.dmp

Filesize
10.8MB

Download
memory/3276-24-0x00007FFE64080000-0x00007FFE64B41000-memory.dmp

Filesize
10.8MB

Download