discordrat | 06e548f88374459b49acf9269c108040582f602cde52e5f1e1e02ef1b89b4fea

General

Target

release.rar
Size

783KB
MD5

1f4bdbaaf4a9997b0519dfec1116375c
SHA1

5b0d7aca31b38fea1628012eed2d272f452246ee
SHA256

06e548f88374459b49acf9269c108040582f602cde52e5f1e1e02ef1b89b4fea
SHA512

3497bbfbdfa024e8e8672c85ee1217e1adbce506df04a27058bf1b9e3bcd17fc80a73dd4e4fbfabd06ce97572af3b30fb2ac45e706a87a95ab8b08e0fd1997b3
SSDEEP

24576:5opkq75paphGwjhaAFnWt66OncboOILA76Ga1eESXxly3g:ap5WljIAFnWqncboOWGaMgQ

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5ODI2NDAyNjg1NzM0NTA1Nw.GUZLej.EaO4IOf1dr7yOFnfuhJGaGXi2EiM1tKWokUH1Q
server_id
1298249568756174859

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 4 IoCs

pid	Process
1372	builder.exe
2304	builder.exe
5552	builder.exe
3084	builder.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
4	discord.com
5	discord.com
7	discord.com
9	discord.com
11	discord.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
6056	7zFM.exe
4048	7zFM.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	6056	7zFM.exe
Token: 35	6056	7zFM.exe
Token: SeSecurityPrivilege	6056	7zFM.exe
Token: SeDebugPrivilege	1372	builder.exe
Token: SeDebugPrivilege	2304	builder.exe
Token: SeBackupPrivilege	5176	svchost.exe
Token: SeRestorePrivilege	5176	svchost.exe
Token: SeSecurityPrivilege	5176	svchost.exe
Token: SeTakeOwnershipPrivilege	5176	svchost.exe
Token: 35	5176	svchost.exe
Token: SeRestorePrivilege	4048	7zFM.exe
Token: 35	4048	7zFM.exe
Token: SeSecurityPrivilege	4048	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
6056	7zFM.exe
6056	7zFM.exe
4048	7zFM.exe
4048	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1492

C:\Users\Admin\Desktop\release\builder.exe
"C:\Users\Admin\Desktop\release\builder.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Users\Admin\Desktop\release\builder.exe
"C:\Users\Admin\Desktop\release\builder.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Users\Admin\Desktop\release\release\builder.exe
"C:\Users\Admin\Desktop\release\release\builder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5552

C:\Users\Admin\Desktop\release\release\builder.exe
"C:\Users\Admin\Desktop\release\release\builder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5176

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\release\release\builder.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4048

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\.rsrc\version.txt
1⤵
PID:5592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\builder.exe.log

Filesize
1KB

MD5
c4915f5546d95ffeec60455267cb8491

SHA1
5ea32fd86aaef190b4ed125d5f956b5b6c2e6e2a

SHA256
77804cbabdc25c2a9574a84e4f4c299754b181b785cd0e49f5169dbda4ea1014

SHA512
24f7ab8e933f2202af3a5d55c5c04465eb151679f5a0bd8b6f23e2423b4d436374bb3207c1d172615f1d966a22da41b88476511e4441fe5c2b915b53f6c624a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\builder.exe.log

Filesize
1KB

MD5
ac45cc773216001c355992d869450b47

SHA1
1f19c3839b521e1bf1ec7928f32f45234f38ea40

SHA256
c9c03abe98c496376975747c9b617f5f6e1b50aec09aa8be31aa24e81254901f

SHA512
3d73620a59089bc05d60ae07f0811ddacd1661599eca096cd9927813f86dc9cebac1de221691373601c743250694de43e408a9e607e813fb28260b1509f84574

Download Submit
C:\Users\Admin\Desktop\.rsrc\version.txt

Filesize
1KB

MD5
ed5ab270120e66fdc2275668036b1528

SHA1
bd37258520f318a47e121c2d7ec63043b78a342f

SHA256
7e83e5bf560714709cdd3eac07b363806ab1035dfbbbafe4f4aea650e9ad0d33

SHA512
7f4dfe73d0b4cec3ef6986382e0256935bba7e38d2dd1b52b4e3d4b342be4be6b4882bf2ed1762f3f4030f5529e59659458722fa8e085875b396f0484c1cb88b

Download Submit
C:\Users\Admin\Desktop\release\builder.exe

Filesize
78KB

MD5
c4a7023d35c75b966fbde8d59fed7e17

SHA1
ce7e86b760a2f4163a8330592b7518e5979ce8ee

SHA256
6695c3ee0505eec9a12f4ab8e327e50ae48d9f7217c2588310f3cd6745db8403

SHA512
946e7fba6d932d7f2b88db6ab9b440c96654a9a0faa239eee118036be9e9c41417f7a286b37ef2545902571e049df12a62f0c231a38d60cc56a5e2e7414ce136

Download Submit
C:\Users\Admin\Desktop\release\release\builder.exe

Filesize
10KB

MD5
4f04f0e1ff050abf6f1696be1e8bb039

SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce

SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

Download Submit
C:\Users\Admin\Desktop\release\release\builder.zip

Filesize
4KB

MD5
9553660c1f0a82fe962396421d6778c1

SHA1
8da1c43f770c9a6aa115b0176a90faed97380ca3

SHA256
bd655f32729cb595889b912c142397e8c19195a90636829d400c6d142bca220e

SHA512
2a4d54fb0bd82eb5ac01b15f770046dbf1a1cc3f173288808f8ea6404b8935d68eca9523e9f4c8195ef200aa4b88cab5721e772e8cbd8e356a8856ce060e1001

Download Submit
memory/1372-19-0x00007FF818060000-0x00007FF818B22000-memory.dmp

Filesize
10.8MB

Download
memory/1372-16-0x00007FF818060000-0x00007FF818B22000-memory.dmp

Filesize
10.8MB

Download
memory/1372-15-0x00007FF818063000-0x00007FF818065000-memory.dmp

Filesize
8KB

Download
memory/1372-14-0x0000022369CA0000-0x000002236A1C8000-memory.dmp

Filesize
5.2MB

Download
memory/1372-13-0x00007FF818060000-0x00007FF818B22000-memory.dmp

Filesize
10.8MB

Download
memory/1372-12-0x00000223694A0000-0x0000022369662000-memory.dmp

Filesize
1.8MB

Download
memory/1372-11-0x0000022366D90000-0x0000022366DA8000-memory.dmp

Filesize
96KB

Download
memory/1372-10-0x00007FF818063000-0x00007FF818065000-memory.dmp

Filesize
8KB

Download
memory/5552-23-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/5552-24-0x0000000005D10000-0x00000000062B6000-memory.dmp

Filesize
5.6MB

Download
memory/5552-25-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/5552-26-0x0000000005720000-0x000000000572A000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing