discordrat | feeaaf0a4f055a7f5c5cc3ec02689d23155bbefa8d473f6f29bbc453753350da

Analysis

max time kernel
94s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lorito.exe
Size

506KB
MD5

5145238a5fe1dedf3a95a6727f46d87d
SHA1

f89ff2e64a37fbacb8bcde27b1433f74ecb62a05
SHA256

feeaaf0a4f055a7f5c5cc3ec02689d23155bbefa8d473f6f29bbc453753350da
SHA512

ca5c1f2d9484f5df193b6de47ca1157949d0700175e25016d2c602ef7cd68381141383c3abec280d015f44409efca3425ec3fd39cf8f2ea7f1135439d71fb6f3
SSDEEP

6144:Cqj9Vbvt0CVAtM9ST08l4oqHU4KpF0gQoIsRHZ/QTGoDMyD5cDfXowzr+pldTuse:Nn0LIyy/LMIsHZo6gM2WX4pvTuJOOJ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxODIyMjc3NTA0MjgzODUzOQ.GlP3Ne.ymlpBd4lypP98gk2QafDxsxkAzy26pPCyBZ7Xg
server_id
1318223874348941362

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Lorito.exe

Executes dropped EXE 1 IoCs

pid	Process
2176	Backdoor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	Backdoor.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2176	2488	Lorito.exe	82
PID 2488 wrote to memory of 2176	2488	Lorito.exe	82

C:\Users\Admin\AppData\Local\Temp\Lorito.exe
"C:\Users\Admin\AppData\Local\Temp\Lorito.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Backdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Backdoor.exe

Filesize
78KB

MD5
ce711361fc917b5fc43ae31105c6ef0f

SHA1
bdc3c38d0843ccdb19de071b2dc2739a93ce9def

SHA256
7056dae1e807cdd837454a982235a33292e0b8ad96d211aa6e1ae82ef15e87ac

SHA512
6e6395ebc6578eaef02efe1d925d6ea48809b571ae72051d25405cefb1483801932b86dfdfb66607dacdc58e6992a9bde1061ceab1a8d7cfb430c66ae75fd3c2

Download Submit
memory/2176-14-0x00007FFA0A4F3000-0x00007FFA0A4F5000-memory.dmp

Filesize
8KB

Download
memory/2176-15-0x00000228611C0000-0x00000228611D8000-memory.dmp

Filesize
96KB

Download
memory/2176-16-0x000002287B840000-0x000002287BA02000-memory.dmp

Filesize
1.8MB

Download
memory/2176-17-0x00007FFA0A4F0000-0x00007FFA0AFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-18-0x000002287C040000-0x000002287C568000-memory.dmp

Filesize
5.2MB

Download
memory/2176-19-0x00007FFA0A4F3000-0x00007FFA0A4F5000-memory.dmp

Filesize
8KB

Download
memory/2176-20-0x00007FFA0A4F0000-0x00007FFA0AFB1000-memory.dmp

Filesize
10.8MB

Download