discordrat | ee70f30bd8e327e450bf960c2f4b3675cb4bf80d9f26c9a2cd0de2fc01ecb77b

Resubmissions

31-10-2024 00:44

241031-a3vrpatnfw 7

30-10-2024 19:18

241030-x1bx5azdng 10

Analysis

max time kernel
91s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
30-10-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rezux X.exe
Size

463KB
MD5

dd6348580be74d093f9f92b81e4611e9
SHA1

e5d66547ca83fe4334d12f5de222da02669cfbfb
SHA256

16e95d2e510125f773ecce110772cce7b3626008ec12f58db532b12869c6aca3
SHA512

8a33f3e4671208ee839f1195db1e66530bb2ee19b4c1578897bdbef1d9cc8ce4dc22f13ff63ff362ef7c553f6be69ad2f8a03db63c522f96a1c752639bb089ea
SSDEEP

12288:xyveQB/fTHIGaPkKEYzURNAwbAgB2X+t4poZnUi:xuDXTIGaPhEYzUzA0/0pCUi

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwMDQ5MDUyNDU5OTM4NjE0Mg.G-DgaN.IIbGbtJfjszYAmncKl9TLXTTj1Bu5HOBlYTQys
server_id
1300397247476793477

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

Processes:

Rezux X.exe

pid	Process
584	Rezux X.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

Processes:

flow	ioc
3	discord.com
5	discord.com
6	discord.com
7	discord.com
1	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Rezux X.exe

description	pid	Process
Token: SeDebugPrivilege	584	Rezux X.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Rezux X.exe

description	pid	Process	procid_target
PID 4568 wrote to memory of 584	4568	Rezux X.exe	77
PID 4568 wrote to memory of 584	4568	Rezux X.exe	77

C:\Users\Admin\AppData\Local\Temp\Rezux X.exe
"C:\Users\Admin\AppData\Local\Temp\Rezux X.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Roaming\Rezux X.exe
  "C:\Users\Admin\AppData\Roaming\Rezux X.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Rezux X.exe

Filesize
78KB

MD5
c40bae2049a59d7f8698938d73bbf8a1

SHA1
2eb5243865c73174c1ec636e34d59808603d6a5c

SHA256
0eea2a2ed697f7a6be9ce25f96a8623c7e6c5ee2efa730355976243951710e6d

SHA512
36a64fbe24ec9337a414353ce6f16225bf916f8f2968daeffae6e62bc89cc6a3d0569f58133c4c93d1fe0c423b6fca143eb4c7f5e05ac3182d96394424ecdc40

Download Submit
memory/584-12-0x00007FFAA6713000-0x00007FFAA6715000-memory.dmp

Filesize
8KB

Download
memory/584-13-0x000001B5ECEF0000-0x000001B5ECF08000-memory.dmp

Filesize
96KB

Download
memory/584-14-0x000001B5EF580000-0x000001B5EF742000-memory.dmp

Filesize
1.8MB

Download
memory/584-15-0x00007FFAA6710000-0x00007FFAA71D2000-memory.dmp

Filesize
10.8MB

Download
memory/584-16-0x000001B5F08E0000-0x000001B5F0E08000-memory.dmp

Filesize
5.2MB

Download
memory/584-17-0x00007FFAA6713000-0x00007FFAA6715000-memory.dmp

Filesize
8KB

Download
memory/584-18-0x00007FFAA6710000-0x00007FFAA71D2000-memory.dmp

Filesize
10.8MB

Download
memory/584-20-0x00007FFAA6710000-0x00007FFAA71D2000-memory.dmp

Filesize
10.8MB

Download