discordrat | 595c782002f8bbe8fda1355c083d09fce66cc9a31b88e9e7716bb1813f722c46

Analysis

max time kernel
99s
max time network
136s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05/12/2024, 01:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Prueba.exe
Size

734KB
MD5

ead9eecb8544f43316a2b9858c490ceb
SHA1

3b6cb5c897b50b0d62f10db989675c7ea2604a40
SHA256

595c782002f8bbe8fda1355c083d09fce66cc9a31b88e9e7716bb1813f722c46
SHA512

ada72914c385c704a4c4ac02801a829cf4598a904d38832c1c08ed01b9caa05646e3c11eaa4d0e51ab6caf27b5acc4a19e745547f2fda0ec1090a6a8c2c472d7
SSDEEP

12288:eCQjgAtAHM+vetZxF5EWry8AJGy0yHCWUepOgAL34UYkCesk/tI2M2:e5ZWs+OZVEWry8AFBBUguYMM2

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyMDE2MzY5NjExMDczNTUwMg.GWK3b8.OVQi1yFkuDO7tIvLreocpCuzyJku7czce0poHo
server_id
1145666332986191892

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Prueba.exe

Executes dropped EXE 1 IoCs

pid	Process
4416	backdoor.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	Prueba.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4392	mspaint.exe
4392	mspaint.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	backdoor.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4392	mspaint.exe
4392	mspaint.exe
4392	mspaint.exe
4392	mspaint.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 4392	1276	Prueba.exe	80
PID 1276 wrote to memory of 4392	1276	Prueba.exe	80
PID 1276 wrote to memory of 4416	1276	Prueba.exe	81
PID 1276 wrote to memory of 4416	1276	Prueba.exe	81

C:\Users\Admin\AppData\Local\Temp\Prueba.exe
"C:\Users\Admin\AppData\Local\Temp\Prueba.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\asd.jpg"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4392
- C:\Users\Admin\AppData\Local\Temp\backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\backdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asd.jpg

Filesize
230KB

MD5
3e5bdbef820927bf20d92f8d51c0a43b

SHA1
39c44bf7fc1fe7c60cc9f172d02db8e0e5f0ee00

SHA256
bccea60d596723b438dc67e830b299e188a3010ca4fd997c6f7ceb4b174fb3c6

SHA512
21d37c68c9ce4b079b55907fba0fbaff74ff6292d41c2b229b9b27190d81affb16bcc6d0883fd827c5b0580bf3a363d66932eac5d7ccf1e5e6e9e245559436d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\backdoor.exe

Filesize
78KB

MD5
96649fd5fa34ad616f3eebcc34d174eb

SHA1
1f704cc7b405f2c1d5ec40d90ae048638f6ae0cd

SHA256
55496b107dd4944ab8346c5bf7c822a4263fb9e70236bd3cc29b4e45239c4f61

SHA512
bf32a5fc8024e721eef415ba96585b02eeebe2a9e0b3a07741f92c23998724243384420c240c927c20fcdc55934fcd536c1cd1459bf781fef2db05440fcdc06d

Download Submit
memory/4416-24-0x000002B0289B0000-0x000002B0289C8000-memory.dmp

Filesize
96KB

Download
memory/4416-25-0x000002B042FD0000-0x000002B043192000-memory.dmp

Filesize
1.8MB

Download
memory/4416-27-0x000002B0437D0000-0x000002B043CF8000-memory.dmp

Filesize
5.2MB

Download