discordrat | 8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11

General

Target

8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe
Size

1.2MB
MD5

892c0f1d2d7f8d5a359abfd6e4a41670
SHA1

7fd99452dddb1d955770a2fb8e58f376a239d9bc
SHA256

8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11
SHA512

4c89b5f8719476565169257eb1e8f3912b04c07f51ba22f952d920bc193164fb05b289229802cd6e5a83463baeab8d0c4a9bad9204401426e3dda701821a45df
SSDEEP

24576:6JpPYTqwhb7j1anIFR18ojgRCHHG/xZQBw6YEEY5JR2DPzovG:6wTbb7jrFRCojmCHgZCw6TEY/R2DP8G

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwMjI5ODU3ODU3NTY5MTc4Ng.GatRXV.m8vJiqZdltYRXl80ctkuRQLNgaYFq9CIxslvwo
server_id
1302300502150877235

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2772	CLIENT-BUILT.EXE

Loads dropped DLL 6 IoCs

pid	Process
2084	8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2812	AcroRd32.exe
2812	AcroRd32.exe
2812	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2772	2084	8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe	31
PID 2084 wrote to memory of 2772	2084	8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe	31
PID 2084 wrote to memory of 2772	2084	8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe	31
PID 2084 wrote to memory of 2772	2084	8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe	31
PID 2084 wrote to memory of 2812	2084	8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe	32
PID 2084 wrote to memory of 2812	2084	8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe	32
PID 2084 wrote to memory of 2812	2084	8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe	32
PID 2084 wrote to memory of 2812	2084	8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe	32
PID 2772 wrote to memory of 2844	2772	CLIENT-BUILT.EXE	33
PID 2772 wrote to memory of 2844	2772	CLIENT-BUILT.EXE	33
PID 2772 wrote to memory of 2844	2772	CLIENT-BUILT.EXE	33

C:\Users\Admin\AppData\Local\Temp\8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe
"C:\Users\Admin\AppData\Local\Temp\8fda268706b18d9918adc6d295cb730008d3ee9d05a097201c1b5c6a4c3e6f11N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2772 -s 596
    3⤵
    - Loads dropped DLL
    PID:2844
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\EYES-OF-DARKNESS-BY-DEAN-R.-KOONTZ-GENIAL.PDF"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EYES-OF-DARKNESS-BY-DEAN-R.-KOONTZ-GENIAL.PDF

Filesize
1.0MB

MD5
a3f425a6ec64f165846b9ce81cc77cf9

SHA1
66e09885b922b31e3549e098e9a4066edd78e073

SHA256
6c5345d2a4536bc51eea495a9a6bdeb44a5546bb5d39cbc6faba2665a5a404b6

SHA512
11ac5f9b2ce276a29f601824dbaa98a8e87679c83c5bb091d66ad0c3a636836e4d5758fb0ccc167ff2c4dba7d0e313bbe390e72476edaf9b179a3edffd73ea25

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9bb0bdecb57d405304827338e7121274

SHA1
d372598dfe840d329487f74277691cfd4b77bd40

SHA256
b1cd2c5dd2b47cf4696e9cb66cb0958b8027ae3e23fbed255351ef189c055421

SHA512
85268e75e3b50295692ccd86aa9c99944737bdd0868114f4670e0752b3dfd919a16dccf430fd633936d9ddeb6c9c3f9649759ba6334a127e76a9725b0927fb3c

Download Submit
\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE

Filesize
78KB

MD5
36f8a903030df6650bbe42cebfc01510

SHA1
8c2db57d2c303085b0c26d6669e4812d85e3f7ec

SHA256
7bdee0f7f0cfce943c8f79347e2cf099f2384cab9889afe088de6d1da6922bbf

SHA512
e88811a5251fa7c1343a82652bf759b1ca9ce201adc6fe7050e4ff8dd2ed79b3c8b526852f29434837e7e5575a0805759ce2fe391cbcaaa33b0a2fe3698b6034

Download Submit
memory/2772-7-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2772-8-0x000000013F780000-0x000000013F798000-memory.dmp

Filesize
96KB

Download
memory/2812-10-0x0000000003FA0000-0x0000000004016000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing