discordrat | b19d42d7c56f6afc2957ef90d84c0d24e70262c01c56e71416eac4b6de9bb51d

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clandgpj.exe
Size

359KB
MD5

4271c70a9cc171b2159e2cf06404eae7
SHA1

09e8fea1127994cc8269db868c5283c2f8c372ca
SHA256

b19d42d7c56f6afc2957ef90d84c0d24e70262c01c56e71416eac4b6de9bb51d
SHA512

60deb2318113ef34d1ed6b47ce3cc393b10372cc6a482bc08dd7080d7670a59d5c1c4c2390057e62e21824259416a3ebe2a90464790a71179fb1d28e82c2f489
SSDEEP

6144:1E+yclwQKjdn+WPtYVJIoBfYXUSJSdDQnjrEKBjknH:1BdlwHRn+WlYV+5XEEjrFanH

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyNTE5ODU0ODEzMTc3NDQ3Ng.GGRvhn.0qO67JAYST6HRPMc7lzevXCuXAE2Hm6rkUlTQk
server_id
1099685979608068217

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2916	cuenta.exe

Loads dropped DLL 6 IoCs

pid	Process
2092	clandgpj.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clandgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2776	DllHost.exe
2776	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2916	2092	clandgpj.exe	31
PID 2092 wrote to memory of 2916	2092	clandgpj.exe	31
PID 2092 wrote to memory of 2916	2092	clandgpj.exe	31
PID 2092 wrote to memory of 2916	2092	clandgpj.exe	31
PID 2916 wrote to memory of 2372	2916	cuenta.exe	32
PID 2916 wrote to memory of 2372	2916	cuenta.exe	32
PID 2916 wrote to memory of 2372	2916	cuenta.exe	32

C:\Users\Admin\AppData\Local\Temp\clandgpj.exe
"C:\Users\Admin\AppData\Local\Temp\clandgpj.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\cuenta.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\cuenta.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2916 -s 596
    3⤵
    - Loads dropped DLL
    PID:2372

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\image.png

Filesize
6KB

MD5
4f7a61f483d43416a7e2f0e6382910c4

SHA1
4a5afea13081e89c42873c0715478a6d96ef5976

SHA256
2a2c97bbb4d2acf58550058fed435a723ed7e024cec28389c3d87547a59c1f8e

SHA512
f64181106ffe9f7cb89aec8eb388952bbcd7c8077f0d0f06277dcfaca9a321b5cbb10f81f01ea04c10e23ffb5dae34ad72e32370799777146cdfa50975ca1c38

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cuenta.exe

Filesize
78KB

MD5
40f2879fd923232555be54e3d5b05cfc

SHA1
f8cf4079a6e6b34baf4d604d144f25196896cad2

SHA256
22765e34b3a2ed835990b92c25d06f9f85149ac403bc0d8e3d3a85fdfa60be35

SHA512
9d7635867fa8717a52af07065549b57be974fd2a4dbc00003f0fd8736653cbd8566fa8404ad364716634ca43af3a6557e618f590fb14185a1e02a038ca4347bc

Download Submit
memory/2092-4-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/2776-5-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2776-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2776-20-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2916-13-0x000000013F8C0000-0x000000013F8D8000-memory.dmp

Filesize
96KB

Download