discordrat | 820e078ba20a1d71567e03ba9ded74fba3783a332123141333b315c9e5a5a02a

General

Target

Valhacks_1.exe
Size

719KB
MD5

4ec8339947d7cbb008baf517fcab0707
SHA1

6a29ca741ef10473b4b6c5af1caf899bc00ad87d
SHA256

820e078ba20a1d71567e03ba9ded74fba3783a332123141333b315c9e5a5a02a
SHA512

3bba68339f56b1c27987e12ab3052f0b4b18ddd4705ef962224d317d14fc8b0910e6cceb422ea2905b7923b20a289a19fb30d22d2c4904dce4ccaee760a6fc54
SSDEEP

12288:zCQjgAtAHM+vetZxF5EWry8AJGy0yvrVBHUl061yhp0xCkScaddIXEBObLJMjJN:z5ZWs+OZVEWry8AFBDVBHUl06YhpmA9D

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NjU2Mzk3NzA5MDE3MDg5MA.GSGnYD.mZ5A67Z0aJaltBR9NnuG2KEdqkMRU6_UcPS7N4
server_id
1246564755443814531

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Valhacks_1.exe

Executes dropped EXE 1 IoCs

pid	Process
3832	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	discord.com
23	discord.com
24	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4124	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4124	vlc.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	Client-built.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe
4124	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4124	vlc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 3832	2788	Valhacks_1.exe	92
PID 2788 wrote to memory of 3832	2788	Valhacks_1.exe	92

C:\Users\Admin\AppData\Local\Temp\Valhacks_1.exe
"C:\Users\Admin\AppData\Local\Temp\Valhacks_1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2204

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\BackupStep.mpg"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
1351e2f4d8fce5158b1528f9704bd721

SHA1
fab091a2f0f522774c9bb3bb3166e355fdf4826e

SHA256
aeb978fb4447c9a39cba32f48bc7537189ee6d99aed90c16a7323af5830f3bbf

SHA512
5118aa74de9b4e5bf473f424983e11cf5c38e19b8e5bf87b7627d59b8a5f94ea01cf9a73dd791147b6a3564fd5a7cf94b64d1df33c3f3ed63cf00db4b6e751fd

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
77B

MD5
6573f301e23e6fe71a850b0de711fde6

SHA1
55651adfacbe496ed90ab2debb08b470bcd0d132

SHA256
bdd7953ae73791238e02cc26e31bc7c0d71dda15bd6667591dad70d6ed0ebc91

SHA512
69fc7954af07d1c5f7960c881bc5988923f53b526efc6908637cb19e4dd06ac6a91f1f6998365fe1c33ca989236537bbf342e9a459f675b3d01367c677ef1810

Download Submit
memory/3832-14-0x00007FFC4EA53000-0x00007FFC4EA55000-memory.dmp

Filesize
8KB

Download
memory/3832-15-0x000001CADD8B0000-0x000001CADD8C8000-memory.dmp

Filesize
96KB

Download
memory/3832-16-0x000001CAF7EE0000-0x000001CAF80A2000-memory.dmp

Filesize
1.8MB

Download
memory/3832-17-0x00007FFC4EA50000-0x00007FFC4F511000-memory.dmp

Filesize
10.8MB

Download
memory/3832-18-0x000001CAF86E0000-0x000001CAF8C08000-memory.dmp

Filesize
5.2MB

Download
memory/3832-19-0x00007FFC4EA53000-0x00007FFC4EA55000-memory.dmp

Filesize
8KB

Download
memory/3832-20-0x00007FFC4EA50000-0x00007FFC4F511000-memory.dmp

Filesize
10.8MB

Download
memory/4124-28-0x00007FFC49210000-0x00007FFC49221000-memory.dmp

Filesize
68KB

Download
memory/4124-40-0x00007FFC47BF0000-0x00007FFC47C01000-memory.dmp

Filesize
68KB

Download
memory/4124-32-0x00007FFC48E30000-0x00007FFC48E41000-memory.dmp

Filesize
68KB

Download
memory/4124-31-0x00007FFC48E50000-0x00007FFC48E6D000-memory.dmp

Filesize
116KB

Download
memory/4124-30-0x00007FFC48E70000-0x00007FFC48E81000-memory.dmp

Filesize
68KB

Download
memory/4124-33-0x00007FFC46210000-0x00007FFC4641B000-memory.dmp

Filesize
2.0MB

Download
memory/4124-29-0x00007FFC48E90000-0x00007FFC48EA7000-memory.dmp

Filesize
92KB

Download
memory/4124-23-0x00007FF7C72C0000-0x00007FF7C73B8000-memory.dmp

Filesize
992KB

Download
memory/4124-27-0x00007FFC5EF80000-0x00007FFC5EF97000-memory.dmp

Filesize
92KB

Download
memory/4124-25-0x00007FFC47CC0000-0x00007FFC47F76000-memory.dmp

Filesize
2.7MB

Download
memory/4124-41-0x00007FFC475A0000-0x00007FFC475B1000-memory.dmp

Filesize
68KB

Download
memory/4124-26-0x00007FFC5F6C0000-0x00007FFC5F6D8000-memory.dmp

Filesize
96KB

Download
memory/4124-39-0x00007FFC47C10000-0x00007FFC47C21000-memory.dmp

Filesize
68KB

Download
memory/4124-38-0x00007FFC47C30000-0x00007FFC47C41000-memory.dmp

Filesize
68KB

Download
memory/4124-37-0x00007FFC47C50000-0x00007FFC47C68000-memory.dmp

Filesize
96KB

Download
memory/4124-36-0x00007FFC488D0000-0x00007FFC488F1000-memory.dmp

Filesize
132KB

Download
memory/4124-35-0x00007FFC47C70000-0x00007FFC47CB1000-memory.dmp

Filesize
260KB

Download
memory/4124-34-0x00007FFC43B70000-0x00007FFC44C20000-memory.dmp

Filesize
16.7MB

Download
memory/4124-24-0x00007FFC49DB0000-0x00007FFC49DE4000-memory.dmp

Filesize
208KB

Download
memory/4124-67-0x00007FF7C72C0000-0x00007FF7C73B8000-memory.dmp

Filesize
992KB

Download
memory/4124-68-0x00007FFC49DB0000-0x00007FFC49DE4000-memory.dmp

Filesize
208KB

Download
memory/4124-69-0x00007FFC47CC0000-0x00007FFC47F76000-memory.dmp

Filesize
2.7MB

Download
memory/4124-70-0x00007FFC43B70000-0x00007FFC44C20000-memory.dmp

Filesize
16.7MB

Download

Resubmissions

Analysis

Sharing