discordrat | 2e68a2674cf79b2b4d75c2b5a39693049585ba6cf96524b04b0a587548065087

Analysis

max time kernel
12s
max time network
13s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-01-2025 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bilder.exe
Size

818KB
MD5

9beac5bdc9fba2ae277deac42593bb40
SHA1

7c51f60ff893dae014e0f9b128300f3802aa20c7
SHA256

2e68a2674cf79b2b4d75c2b5a39693049585ba6cf96524b04b0a587548065087
SHA512

0f0dac74a2db1e8a1c3efb70278fc2639094539c64b6a4ebc56161dd67fce6930c10970845ac748bd6b96434f378564b9646b0eee50e9a78746c54858c2e6092
SSDEEP

24576:TuDXTIGaPhEYzUzA0q/Zzn8k71UuC6hzOgBMoe:6Djlabwz9o51zOgeoe

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMTk5NDk0MzgwMzQyODk3Nw.G7hRt0.tsvaJSgO9QCXFDWq0chKEu6Jsm3XDWEWHH41wA
server_id
1321995666821484655

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 2 IoCs

pid	Process
3656	BM4Refl‮gpj.exe
4572	Piercing-3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	Bilder.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	Piercing-3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1408	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3656	3788	Bilder.exe	78
PID 3788 wrote to memory of 3656	3788	Bilder.exe	78
PID 3656 wrote to memory of 4572	3656	BM4Refl‮gpj.exe	81
PID 3656 wrote to memory of 4572	3656	BM4Refl‮gpj.exe	81

C:\Users\Admin\AppData\Local\Temp\Bilder.exe
"C:\Users\Admin\AppData\Local\Temp\Bilder.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\BM4Refl‮gpj.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BM4Refl‮gpj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Piercing-3.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Piercing-3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4572

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BM4Refl‮gpj.exe

Filesize
529KB

MD5
d7746b44fff33140ee35be0cf8635098

SHA1
93d8359ebee5849abddec1d66f13f867dcbab214

SHA256
ab1f5565ec87d83344a85ea76310b4cd9f82877a9d39ff55977ca5f96f5324f4

SHA512
befdb09a8f1b66c30c2f9eee5d75f0547f40f6d66e12e484aaaaebea6d5f09629e00b16afdd0e3f54bdada3a371f88dd24a54befdf5497a0c0cfe42128de5522

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\AV_Bypass.py

Filesize
6KB

MD5
a152b166fa53ed1efbac71133670f48c

SHA1
dc65a442414440ee7e23a0519335574d8b053f74

SHA256
bbef61d27046a8322ab9625ee0fe71c4ddfb298f8743248290ec6bbe1bf65025

SHA512
e3fc957510a6a1888d9547bf5d3205209e8c62a06cafe103d98d7eb2104151fdc0f982fff7dc38bdf7ad21ad39d49eec81722d75684c46b2e44c86883fe78fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Piercing-3.exe

Filesize
78KB

MD5
b7ccf7b812bb770c597725179857962f

SHA1
67ea478ef8c7f502576620821d85521197a5e533

SHA256
8438e6e9643604ca36f6d5196cbe4c417f61c69adf43ae2e8a991ce9ecacc005

SHA512
48b22d57758511e38b26e2404b4be03f2bc4050e4906a8f4f73bc2fd91efb4bfd9069effae2e7dc91843ed3c28751020db2e62335163f4e770400b94f40a0721

Download Submit
memory/4572-28-0x000001F24C5B0000-0x000001F24C5C8000-memory.dmp

Filesize
96KB

Download
memory/4572-29-0x000001F266D20000-0x000001F266EE2000-memory.dmp

Filesize
1.8MB

Download
memory/4572-30-0x000001F267FA0000-0x000001F2684C8000-memory.dmp

Filesize
5.2MB

Download