discordrat | 8eee8d645eff54587594bdf22b4bfd9e6939a453328980397c907e91c2970afc

Analysis

max time kernel
440s
max time network
442s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-12-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release (1).zip
Size

445KB
MD5

492b0707929b94ef877ba06215b36a68
SHA1

d9ba69c8193cb27436849e10faed002aada2794a
SHA256

8eee8d645eff54587594bdf22b4bfd9e6939a453328980397c907e91c2970afc
SHA512

dc60d785eee5158cef3f05656fb6d91ed87a0d155b6acb2664e9a145a2a8434ec456e19d612604d35edcff6af49337d8d26897da33a9909c6ab5f98089e57946
SSDEEP

12288:BfJ13+GoLo2d5ifXHE8134QwYOwFSFRiLQ+:BKGo8EifSQwYW+

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 2 IoCs

pid	Process
1092	builder.exe
4288	Client-built.exe

Loads dropped DLL 2 IoCs

pid	Process
1092	builder.exe
1092	builder.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4016	7zFM.exe
Token: 35	4016	7zFM.exe
Token: SeSecurityPrivilege	4016	7zFM.exe
Token: SeDebugPrivilege	4288	Client-built.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4016	7zFM.exe
4016	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release (1).zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4016

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nuevo documento de texto.txt
1⤵
PID:4636

C:\Users\Admin\Desktop\builder.exe
"C:\Users\Admin\Desktop\builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1092

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Client-built.exe

Filesize
78KB

MD5
df6f9fd91082c2f8199b3a9e01e06895

SHA1
e6ce8d2aa2ccb7f67c16210228b362ec9a7855aa

SHA256
24e2747f2bd5d079277ae09034f539a1e34ce3d9f3016353a1ca226817b93872

SHA512
4247e50e0faaea4b7436770be073ddd2c901fc55695c6d5dc8618be8c95d6666c71e8be8f29484ea070dea11ecf7ffdcf0de997984d3424828d59e2018820462

Download Submit
C:\Users\Admin\Desktop\Nuevo documento de texto.txt

Filesize
92B

MD5
867e035497fd38df02003a4c1d97d332

SHA1
4727f3e9ffd3a17f0438695c35839b237d63a086

SHA256
370e9917862c50202284442514959a1bc3efaa5ca9ed282a1ff9aba250a16401

SHA512
216d50e23dc742a90bbba67ff7b4932838903e014b9806746242311b51619e1c8935a5888e037323082a4dbe77a7d284996f342d47dec2e9dc3ca43de23bfae9

Download Submit
C:\Users\Admin\Desktop\Release\Discord rat.exe

Filesize
79KB

MD5
d13905e018eb965ded2e28ba0ab257b5

SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858

SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

Download Submit
C:\Users\Admin\Desktop\builder.exe

Filesize
10KB

MD5
4f04f0e1ff050abf6f1696be1e8bb039

SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce

SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

Download Submit
C:\Users\Admin\Desktop\dnlib.dll

Filesize
1.1MB

MD5
508ccde8bc7003696f32af7054ca3d97

SHA1
1f6a0303c5ae5dc95853ec92fd8b979683c3f356

SHA256
4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a

SHA512
92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

Download Submit
memory/1092-16-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/1092-15-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/1092-20-0x0000000007B20000-0x0000000007C42000-memory.dmp

Filesize
1.1MB

Download
memory/1092-14-0x0000000005490000-0x0000000005A36000-memory.dmp

Filesize
5.6MB

Download
memory/1092-13-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/4288-25-0x000002D49CD40000-0x000002D49CD58000-memory.dmp

Filesize
96KB

Download
memory/4288-26-0x000002D4B7430000-0x000002D4B75F2000-memory.dmp

Filesize
1.8MB

Download
memory/4288-27-0x000002D4B87B0000-0x000002D4B8CD8000-memory.dmp

Filesize
5.2MB

Download