discordrat | 7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94

General

Target

7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe
Size

1.2MB
MD5

6a1e9e5b4d55e423d9b2d3dec10f0fe4
SHA1

b2ce7191de0dad914282a8ba4b27e64bbd21c406
SHA256

7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94
SHA512

ed5632a347b6670ae6e6ebce6900962de04942f0d4fa2ad2766835d2eecf24e2661255a9410c5e83d8c99a626b5825b20d11496ec160853ff2484a6619b9cf55
SSDEEP

24576:6JpPYTqwhb7j1anIFR18ojgRCHHG/xZQBw6YEEY5JR2DPzovGJ:6wTbb7jrFRCojmCHgZCw6TEY/R2DP8GJ

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwMjI5ODU3ODU3NTY5MTc4Ng.GatRXV.m8vJiqZdltYRXl80ctkuRQLNgaYFq9CIxslvwo
server_id
1302300502150877235

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
756	CLIENT-BUILT.EXE

Loads dropped DLL 6 IoCs

pid	Process
2140	7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2604	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2604	AcroRd32.exe
2604	AcroRd32.exe
2604	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 756	2140	7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe	30
PID 2140 wrote to memory of 756	2140	7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe	30
PID 2140 wrote to memory of 756	2140	7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe	30
PID 2140 wrote to memory of 756	2140	7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe	30
PID 2140 wrote to memory of 2604	2140	7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe	31
PID 2140 wrote to memory of 2604	2140	7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe	31
PID 2140 wrote to memory of 2604	2140	7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe	31
PID 2140 wrote to memory of 2604	2140	7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe	31
PID 756 wrote to memory of 2404	756	CLIENT-BUILT.EXE	32
PID 756 wrote to memory of 2404	756	CLIENT-BUILT.EXE	32
PID 756 wrote to memory of 2404	756	CLIENT-BUILT.EXE	32

C:\Users\Admin\AppData\Local\Temp\7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe
"C:\Users\Admin\AppData\Local\Temp\7de30319baffb2aa4db6b00d51b9f03ba15d54bcfb7cd58115c533ebb0884b94.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 756 -s 596
    3⤵
    - Loads dropped DLL
    PID:2404
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\EYES-OF-DARKNESS-BY-DEAN-R.-KOONTZ-GENIAL.PDF"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EYES-OF-DARKNESS-BY-DEAN-R.-KOONTZ-GENIAL.PDF

Filesize
1.0MB

MD5
a3f425a6ec64f165846b9ce81cc77cf9

SHA1
66e09885b922b31e3549e098e9a4066edd78e073

SHA256
6c5345d2a4536bc51eea495a9a6bdeb44a5546bb5d39cbc6faba2665a5a404b6

SHA512
11ac5f9b2ce276a29f601824dbaa98a8e87679c83c5bb091d66ad0c3a636836e4d5758fb0ccc167ff2c4dba7d0e313bbe390e72476edaf9b179a3edffd73ea25

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c36d8a68b1e56d908382cc2c7bebf90f

SHA1
ebad24c0bbe7d80c79f85b0904ec5722e1f66e6f

SHA256
980e371e9362e1d3bce31e1d61f92d431ab283933cc29a34acedf8e23ea14ca6

SHA512
9cbf500322dffbf30b45e6ec2676e61d4be112d3272b3e0634f4710264c5c8d84b215b7778d0e2bec41190753e68873e36cd0708c67f693ed28f5585eb410286

Download Submit
\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE

Filesize
78KB

MD5
36f8a903030df6650bbe42cebfc01510

SHA1
8c2db57d2c303085b0c26d6669e4812d85e3f7ec

SHA256
7bdee0f7f0cfce943c8f79347e2cf099f2384cab9889afe088de6d1da6922bbf

SHA512
e88811a5251fa7c1343a82652bf759b1ca9ce201adc6fe7050e4ff8dd2ed79b3c8b526852f29434837e7e5575a0805759ce2fe391cbcaaa33b0a2fe3698b6034

Download Submit
memory/756-7-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

Filesize
4KB

Download
memory/756-8-0x000000013F330000-0x000000013F348000-memory.dmp

Filesize
96KB

Download
memory/756-34-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

Filesize
4KB

Download
memory/2604-15-0x0000000002BB0000-0x0000000002C26000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing