discordrat | 783d046079b0d891a7cceee54a03e292efd2eb5941e90a268a0a6331c9805d03

Reason

Machine shutdown

General

Target

Vbuck GEN.exe
Size

78KB
MD5

19bb02eb4df10edd6af6822a847263dc
SHA1

eef31717a1cedf4ad3628092f2cc0074ad9d5b8e
SHA256

783d046079b0d891a7cceee54a03e292efd2eb5941e90a268a0a6331c9805d03
SHA512

4d523d09af36bc0c24e68c9a093cc51ce44aca766ad228cac8706c34b506fcd438efc6a2d4f2dafde0872d78df0c34e64cfc8548742af913d1864c29562486e0
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC

Score

10^/10

discordrat persistence ransomware rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyNTU1MjM5MjUxNDY5OTM4Ng.GSsXF0.2F-rPvyxUMTADJXbj04XJt8RzF459DH9mdIDiA
server_id
1325554226285379708

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs

Web Service

T1102

flow	ioc
95	discord.com
27	discord.com
30	discord.com
69	discord.com
70	discord.com
81	discord.com
84	discord.com
56	discord.com
85	discord.com
97	discord.com
12	discord.com
65	discord.com
82	discord.com
94	discord.com
96	discord.com
11	discord.com
64	discord.com
73	discord.com
86	discord.com
93	discord.com
63	raw.githubusercontent.com
57	discord.com
59	raw.githubusercontent.com
60	discord.com
72	discord.com
99	discord.com
61	discord.com
71	raw.githubusercontent.com
98	discord.com
88	discord.com
20	discord.com
37	discord.com
38	discord.com
41	discord.com
58	raw.githubusercontent.com
83	discord.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp5B79.tmp.png"	Vbuck GEN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpFFC4.tmp.png"	Vbuck GEN.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	Vbuck GEN.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4932	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\Vbuck GEN.exe
"C:\Users\Admin\AppData\Local\Temp\Vbuck GEN.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e8055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3868-0-0x00007FFE64653000-0x00007FFE64655000-memory.dmp

Filesize
8KB

Download
memory/3868-1-0x000001D752C00000-0x000001D752C18000-memory.dmp

Filesize
96KB

Download
memory/3868-2-0x000001D76D2D0000-0x000001D76D492000-memory.dmp

Filesize
1.8MB

Download
memory/3868-3-0x00007FFE64650000-0x00007FFE65111000-memory.dmp

Filesize
10.8MB

Download
memory/3868-4-0x000001D76DAD0000-0x000001D76DFF8000-memory.dmp

Filesize
5.2MB

Download
memory/3868-5-0x00007FFE64653000-0x00007FFE64655000-memory.dmp

Filesize
8KB

Download
memory/3868-6-0x00007FFE64650000-0x00007FFE65111000-memory.dmp

Filesize
10.8MB

Download
memory/3868-9-0x000001D76D6C0000-0x000001D76D736000-memory.dmp

Filesize
472KB

Download
memory/3868-10-0x000001D754870000-0x000001D754882000-memory.dmp

Filesize
72KB

Download
memory/3868-11-0x000001D7548A0000-0x000001D7548BE000-memory.dmp

Filesize
120KB

Download
memory/3868-12-0x000001D754880000-0x000001D75488E000-memory.dmp

Filesize
56KB

Download
memory/3868-13-0x000001D76E000000-0x000001D76E2CA000-memory.dmp

Filesize
2.8MB

Download
memory/3868-16-0x00007FFE64650000-0x00007FFE65111000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors