discordrat | a132f3f4803744fb7d1278192f8e2a3563490fa16ba0e60b92e18f301e24ff9a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Moon cheats/Moon Cheats.exe
Size

78KB
MD5

23121ec5aa860121c4b03e246d919c4b
SHA1

750802101b7936c1f3f9140a8a5c8871d0c1d52f
SHA256

5068c095fe2dc0ea113802f0cfe1b2c733b9af3d26b56fe4640b84182dad3b00
SHA512

3dced9e61805d07e388d378f8fd6b8d0d099c878e05910dadf896440e5b79ca4d7f5404b8af734398678654aa8b55d0829b74e61b0771e9d9a5e1107d846425c
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+ePIC:5Zv5PDwbjNrmAE+aIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMTU0ODcwMzk2NTg0MzUxNg.GIKoSl.hpLTnBEEtO8tJ-575ifZ73sv0H1AL_hR73OJxA
server_id
1311541606738038905

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2944	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid	Process
2944	EXCEL.EXE
2944	EXCEL.EXE
2944	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Moon Cheats.exe

description	pid	Process	procid_target
PID 2640 wrote to memory of 2796	2640	Moon Cheats.exe	30
PID 2640 wrote to memory of 2796	2640	Moon Cheats.exe	30
PID 2640 wrote to memory of 2796	2640	Moon Cheats.exe	30

C:\Users\Admin\AppData\Local\Temp\Moon cheats\Moon Cheats.exe
"C:\Users\Admin\AppData\Local\Temp\Moon cheats\Moon Cheats.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2640 -s 596
  2⤵
  PID:2796

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-0-0x000007FEF5DF3000-0x000007FEF5DF4000-memory.dmp

Filesize
4KB

Download
memory/2640-1-0x000000013FB20000-0x000000013FB38000-memory.dmp

Filesize
96KB

Download
memory/2640-2-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-3-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2944-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2944-5-0x000000007367D000-0x0000000073688000-memory.dmp

Filesize
44KB

Download
memory/2944-16-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2944-17-0x000000007367D000-0x0000000073688000-memory.dmp

Filesize
44KB

Download