discordrat | 728f6ef5853864664539cd562e33b81138f69609ff37cfcf622b901d2d9d81ff

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sisso.gpj.exe
Size

772KB
MD5

625bbdfe0046fffc786e7a0a27c10bef
SHA1

77795a62395bb6510057682415666f2f1e017031
SHA256

728f6ef5853864664539cd562e33b81138f69609ff37cfcf622b901d2d9d81ff
SHA512

640e062f7fac6cf5d9ce7200f827dd07c0ca9e48210fc35d165143e0ef318de734e818c58d557c077c6e5e270e0341546b8c86a60d37b339a04eb12667e02da6
SSDEEP

6144:ATouKrWBEu3/Z2lpGDHU3ykJy5UMwQ54zUOYwI9CmbkPryNyATXqF0Dp/frNpxb4:AToPWBv/cpGrU3yTiFb3bWXaiRfrJ4

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxODY2NzE5MzE0NzE5NTQ3Mg.GqTYsG.EFDdS3JA4JWiUR6BrjCsNy5QiB52-BMhHIV3cs
server_id
1242941368020766730

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2096	Client-built.exe

Loads dropped DLL 6 IoCs

pid	Process
1900	sisso.gpj.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sisso.gpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2432	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2432	DllHost.exe
2432	DllHost.exe
2432	DllHost.exe
2432	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2096	1900	sisso.gpj.exe	31
PID 1900 wrote to memory of 2096	1900	sisso.gpj.exe	31
PID 1900 wrote to memory of 2096	1900	sisso.gpj.exe	31
PID 1900 wrote to memory of 2096	1900	sisso.gpj.exe	31
PID 2096 wrote to memory of 2840	2096	Client-built.exe	32
PID 2096 wrote to memory of 2840	2096	Client-built.exe	32
PID 2096 wrote to memory of 2840	2096	Client-built.exe	32

C:\Users\Admin\AppData\Local\Temp\sisso.gpj.exe
"C:\Users\Admin\AppData\Local\Temp\sisso.gpj.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2096 -s 596
    3⤵
    - Loads dropped DLL
    PID:2840

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\th-_1_.jpg

Filesize
51KB

MD5
6bc0a2737f32a599a8070932754eacc4

SHA1
a13f0d4ffd262c09b978233873b823ed4b835ffb

SHA256
4f15cb46a6c6a7799e1cfc07482954d009f8bd513126a80d2565842d6b924df1

SHA512
393269cb8e8ebe7b1987a97703ca18bcc2e3eb62f96924683fc59bdfaf348bdb93929408172a1b97ef3108864cd1d1b4f694bb729408874b902c7c7d43f9e6b1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
46cd65e5ff390ddaa6236f272839cc09

SHA1
18a0fd8cc58b4bf61f3bfc499886956cef8d7bd5

SHA256
3f373b012e2c89289a5c81cc78c3722123a7cb0062a0c00089eab6b84141f758

SHA512
f455f71f1d17b9ced82060af29642dc119b7919db0ca9ef9348d098a6a56d08205389a5cf9a07aa9a9a69b31836513e4cf4ca5c4d154be7ecd7ac0e595905db2

Download Submit
memory/1900-4-0x0000000000820000-0x0000000000822000-memory.dmp

Filesize
8KB

Download
memory/2096-13-0x000000013F920000-0x000000013F938000-memory.dmp

Filesize
96KB

Download
memory/2432-5-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2432-7-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2432-20-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download