discordrat | e9cbd277fa5fd638db41d08e9ee3ee57b485b03f9510c67b468b18144aa3b73b

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wise logo.‮gnp.exe
Size

231KB
MD5

1c896967e6be98ae74b73609217b6114
SHA1

fa667922c64647c9a7c750e22b9073ab85f84e6e
SHA256

96ffcd21b01c69b09029c9e4e70a2d6471ebbc4a2ed81478a5846083a4228aae
SHA512

08bfc53c47fe6574290b86633632c1efcd42cda7eba6378b3882786d54bd89d3794939fc03b87b8d315c6a55b19d5af6471331f5019a5f42d287d930ee09cd74
SSDEEP

6144:ea4InuJg58BkgqPoDH49n8Bb/cTOUXt8Wa:eat0EAH49n8BlUXyP

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwMTA3ODQ3NjIyNDIwMDcwNQ.GG4U5v.q6f5p3v4QsFIwJGxfFjOIPRWeaaZORXwdiclGc
server_id
1300782121828356126

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Executes dropped EXE 1 IoCs

Processes:

RANDOM.exe

pid process

2544 RANDOM.exe
Loads dropped DLL 6 IoCs

Processes:

wise logo.‮gnp.exeWerFault.exe

pid process

2548 wise logo.‮gnp.exe
860 WerFault.exe
860 WerFault.exe
860 WerFault.exe
860 WerFault.exe
860 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2544	RANDOM.exe

pid	process
2548	wise logo.‮gnp.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wise logo.‮gnp.exeDllHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wise logo.‮gnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2812 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DllHost.exe

pid process

2812 DllHost.exe
2812 DllHost.exe
2812 DllHost.exe
2812 DllHost.exe

pid	process
2812	DllHost.exe

pid	process
2812	DllHost.exe
2812	DllHost.exe
2812	DllHost.exe
2812	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

wise logo.‮gnp.exeRANDOM.exe

description	pid	process	target process
PID 2548 wrote to memory of 2544	2548	wise logo.‮gnp.exe	RANDOM.exe
PID 2548 wrote to memory of 2544	2548	wise logo.‮gnp.exe	RANDOM.exe
PID 2548 wrote to memory of 2544	2548	wise logo.‮gnp.exe	RANDOM.exe
PID 2548 wrote to memory of 2544	2548	wise logo.‮gnp.exe	RANDOM.exe
PID 2544 wrote to memory of 860	2544	RANDOM.exe	WerFault.exe
PID 2544 wrote to memory of 860	2544	RANDOM.exe	WerFault.exe
PID 2544 wrote to memory of 860	2544	RANDOM.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\wise logo.‮gnp.exe
"C:\Users\Admin\AppData\Local\Temp\wise logo.‮gnp.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\RANDOM.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RANDOM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2544 -s 596
    3⤵
    - Loads dropped DLL
    PID:860

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RANDOM.png

Filesize
3KB

MD5
ef3f7488ad48935ffdad376477bc03e0

SHA1
3e0245eabeb7677bca5fb4de9b357c8b34810d4f

SHA256
bce8a97e4a6ca3053e37c6b95a1a9ea038f898cf99fdea58d64052b9b84f5e9b

SHA512
4aa01b013975b68d229517b88329029f6b48ef7624f16efcc5b92f6d78f2da4128d5de8ddbe4f24f4489180d4cf6dd3baf0e9a63b3b61fbaa24b7210341ddc8b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\RANDOM.exe

Filesize
78KB

MD5
f5d0229427aaf6e148f74d7d5e922d5d

SHA1
271b53ad7137098e78241e283e794203bb3e314a

SHA256
c813931a3b3fab6421a6530dfb601fca767753ed20c3a6c91f1f1da128c9363d

SHA512
55be1dc60537077e150c3f5745c297d62896df224ead5f80c8059b6e48ffca604f61a9e26e5d674e50bd0355c2a667b9a8471563f3d4051f6b679da47f14e3fa

Download Submit
memory/2544-12-0x000000013F600000-0x000000013F618000-memory.dmp

Filesize
96KB

Download
memory/2548-4-0x0000000000700000-0x0000000000702000-memory.dmp

Filesize
8KB

Download
memory/2812-5-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download