discordrat | feeaaf0a4f055a7f5c5cc3ec02689d23155bbefa8d473f6f29bbc453753350da

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lorito.exe
Size

506KB
MD5

5145238a5fe1dedf3a95a6727f46d87d
SHA1

f89ff2e64a37fbacb8bcde27b1433f74ecb62a05
SHA256

feeaaf0a4f055a7f5c5cc3ec02689d23155bbefa8d473f6f29bbc453753350da
SHA512

ca5c1f2d9484f5df193b6de47ca1157949d0700175e25016d2c602ef7cd68381141383c3abec280d015f44409efca3425ec3fd39cf8f2ea7f1135439d71fb6f3
SSDEEP

6144:Cqj9Vbvt0CVAtM9ST08l4oqHU4KpF0gQoIsRHZ/QTGoDMyD5cDfXowzr+pldTuse:Nn0LIyy/LMIsHZo6gM2WX4pvTuJOOJ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxODIyMjc3NTA0MjgzODUzOQ.GlP3Ne.ymlpBd4lypP98gk2QafDxsxkAzy26pPCyBZ7Xg
server_id
1318223874348941362

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2580	Backdoor.exe

Loads dropped DLL 6 IoCs

pid	Process
2340	Lorito.exe
2552	WerFault.exe
2552	WerFault.exe
2552	WerFault.exe
2552	WerFault.exe
2552	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2580	2340	Lorito.exe	31
PID 2340 wrote to memory of 2580	2340	Lorito.exe	31
PID 2340 wrote to memory of 2580	2340	Lorito.exe	31
PID 2580 wrote to memory of 2552	2580	Backdoor.exe	32
PID 2580 wrote to memory of 2552	2580	Backdoor.exe	32
PID 2580 wrote to memory of 2552	2580	Backdoor.exe	32

C:\Users\Admin\AppData\Local\Temp\Lorito.exe
"C:\Users\Admin\AppData\Local\Temp\Lorito.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Backdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2580 -s 596
    3⤵
    - Loads dropped DLL
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Backdoor.exe

Filesize
78KB

MD5
ce711361fc917b5fc43ae31105c6ef0f

SHA1
bdc3c38d0843ccdb19de071b2dc2739a93ce9def

SHA256
7056dae1e807cdd837454a982235a33292e0b8ad96d211aa6e1ae82ef15e87ac

SHA512
6e6395ebc6578eaef02efe1d925d6ea48809b571ae72051d25405cefb1483801932b86dfdfb66607dacdc58e6992a9bde1061ceab1a8d7cfb430c66ae75fd3c2

Download Submit
memory/2340-4-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/2580-11-0x000007FEF55C3000-0x000007FEF55C4000-memory.dmp

Filesize
4KB

Download
memory/2580-12-0x000000013F480000-0x000000013F498000-memory.dmp

Filesize
96KB

Download
memory/2580-17-0x000007FEF55C0000-0x000007FEF5FAC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-19-0x000007FEF55C0000-0x000007FEF5FAC000-memory.dmp

Filesize
9.9MB

Download