discordrat | cbeb080ac0d3c78fe7ee2d56249f46f3ff74e3c114337f6bc5557951e4c46bd0

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbeb080ac0d3c78fe7ee2d56249f46f3ff74e3c114337f6bc5557951e4c46bd0.exe
Size

588KB
MD5

1cc6d8b0062bd2cba1276ed67bf35c06
SHA1

f5fe59b1380d6d2b96d6abd92b27db0d19b92d17
SHA256

cbeb080ac0d3c78fe7ee2d56249f46f3ff74e3c114337f6bc5557951e4c46bd0
SHA512

22da4edd15adb6c73abcc15afe732b7423521cfb1dff1980258bcd7a11a9343a9dce248222d3fa280ae521f5e72beb13f2c19be91c9b54cc86124b006550ae6d
SSDEEP

12288:ayveQB/fTHIGaPkKEYzURNAwbAg8gGQL0mSCcjTIVWdHr7:auDXTIGaPhEYzUzA0qv40mU0VYHr7

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxODE4MTE0OTg3NjQyNDc3Nw.GQG8E9.nJeLLo161XgHRqOZobXXNSZwDQZ2I4osCosf_4
server_id
1318182170891911208

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2692	uno.exe

Loads dropped DLL 6 IoCs

pid	Process
2764	cbeb080ac0d3c78fe7ee2d56249f46f3ff74e3c114337f6bc5557951e4c46bd0.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2692	2764	cbeb080ac0d3c78fe7ee2d56249f46f3ff74e3c114337f6bc5557951e4c46bd0.exe	32
PID 2764 wrote to memory of 2692	2764	cbeb080ac0d3c78fe7ee2d56249f46f3ff74e3c114337f6bc5557951e4c46bd0.exe	32
PID 2764 wrote to memory of 2692	2764	cbeb080ac0d3c78fe7ee2d56249f46f3ff74e3c114337f6bc5557951e4c46bd0.exe	32
PID 2692 wrote to memory of 2744	2692	uno.exe	33
PID 2692 wrote to memory of 2744	2692	uno.exe	33
PID 2692 wrote to memory of 2744	2692	uno.exe	33

C:\Users\Admin\AppData\Local\Temp\cbeb080ac0d3c78fe7ee2d56249f46f3ff74e3c114337f6bc5557951e4c46bd0.exe
"C:\Users\Admin\AppData\Local\Temp\cbeb080ac0d3c78fe7ee2d56249f46f3ff74e3c114337f6bc5557951e4c46bd0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\uno.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\uno.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2692 -s 596
    3⤵
    - Loads dropped DLL
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\uno.exe

Filesize
78KB

MD5
450ecba1d1abd697740b513f1675d9b2

SHA1
985044a625d50042ca4d5829d93e2a3115278fd4

SHA256
665953beb4bf982b9f83d0f08953ade12a59504053b1c11b3672400cd26963ad

SHA512
47e20e979b1732ade07917126cd099ae538abf63d8bfada181705572d1e2dc492d99206aaacbddb31186da1cf5f306547a41bed205eeb1c6df6f0d53bb2db198

Download Submit
memory/2692-11-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

Filesize
4KB

Download
memory/2692-12-0x000000013F410000-0x000000013F428000-memory.dmp

Filesize
96KB

Download
memory/2692-17-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-19-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-4-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download