discordrat | 20aa10297a093808affd1bc9bfa3383fc750f578cf1bc3d6d3db83431c5719b5

General

Target

EiRat (3).exe
Size

78KB
MD5

b2852bb92b9e96925f6cdc0d3adeeeb5
SHA1

134148270af48d7c161dbb29ce82a77d4ba363ba
SHA256

20aa10297a093808affd1bc9bfa3383fc750f578cf1bc3d6d3db83431c5719b5
SHA512

ce7bbebe1da7db4562d264e4673f69fa05d7bdb15e7ced807c0315dbf95659f1addfa58305c5f1350464d9f3c516ca5965dc03aaacf6bdcb8052fcf8bde6c883
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+nPIC:5Zv5PDwbjNrmAE+PIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMzk5NDc2OTY3MTY1MTQ1OA.Gwe3-x.Ak014vxm5MiwcJraKXHh8jrZfz04R_N_93_0jk
server_id
1313832050054402099

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4852	EiRat (3).exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
232	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\EiRat (3).exe
"C:\Users\Admin\AppData\Local\Temp\EiRat (3).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2856

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2372

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:436

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\80bba72e-1b19-4e6c-82bb-fe945f576ccc.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
ad7a569bafd3a938fe348f531b8ef332

SHA1
7fdd2f52d07640047bb62e0f3d3c946ddd85c227

SHA256
f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309

SHA512
b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423

Download Submit
memory/4852-0-0x00007FFBB1873000-0x00007FFBB1875000-memory.dmp

Filesize
8KB

Download
memory/4852-1-0x000001CE3CA70000-0x000001CE3CA88000-memory.dmp

Filesize
96KB

Download
memory/4852-2-0x000001CE572D0000-0x000001CE57492000-memory.dmp

Filesize
1.8MB

Download
memory/4852-3-0x00007FFBB1870000-0x00007FFBB2332000-memory.dmp

Filesize
10.8MB

Download
memory/4852-4-0x000001CE58550000-0x000001CE58A78000-memory.dmp

Filesize
5.2MB

Download
memory/4852-5-0x00007FFBB1873000-0x00007FFBB1875000-memory.dmp

Filesize
8KB

Download
memory/4852-6-0x00007FFBB1870000-0x00007FFBB2332000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing