discordrat | fad34259cb3d3755be673a6d68b260410886c8a331d521cce755f5c2b901c266

Resubmissions

13-01-2025 04:06

250113-epekrsxnhj 10

12-01-2025 14:50

250112-r7rdhawqdz 10

Analysis

max time kernel
840s
max time network
842s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lunacy.exe
Size

65.5MB
MD5

a8604ed6963fbd500f7ddbdc2974087f
SHA1

711ee4517ba5057b3f2b77f353bc5baf8907d3ee
SHA256

fad34259cb3d3755be673a6d68b260410886c8a331d521cce755f5c2b901c266
SHA512

33fe9b16210bdc68d4bc98a66886f9792d089ec71c21a707ae53a62bf558e910022f11d82d5bb72801b67bb3d90179e433bd2734942b5458835f71b4e4deeea3
SSDEEP

1572864:mDrVnCeLskhmYGTltzFsz33Us7MCnp70KGnfHlD86dqyVr:0rAeLnpGTlKd7MCnp70BfHq6dNVr

Score

10^/10

discordrat lumma discovery persistence rat rootkit stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyNjI3MzE5MjI2MzY4NDE1Nw.GqZTXC.3wU7sojPUYgFVOMUMGVxSZ4fuH7Ie5zAU4zEQE
server_id
1325932201975484416

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 5 IoCs

pid	Process
2620	Loader.exe
800	Loader.exe
1820	client.exe
2060	lclient.exe
1756	lclient.exe

Loads dropped DLL 18 IoCs

pid	Process
2620	Loader.exe
2072	Lunacy.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2072	Lunacy.exe
2060	lclient.exe
1756	lclient.exe
1756	lclient.exe
1756	lclient.exe
1756	lclient.exe
1756	lclient.exe
1756	lclient.exe
1756	lclient.exe
1424	Process not Found
1424	Process not Found

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2620 set thread context of 800	2620	Loader.exe	32

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000020a71-968.dat	upx
behavioral1/memory/1756-970-0x000007FEF5E00000-0x000007FEF63E8000-memory.dmp	upx
behavioral1/memory/1756-973-0x000007FEF5E00000-0x000007FEF63E8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2620	2072	Lunacy.exe	30
PID 2072 wrote to memory of 2620	2072	Lunacy.exe	30
PID 2072 wrote to memory of 2620	2072	Lunacy.exe	30
PID 2072 wrote to memory of 2620	2072	Lunacy.exe	30
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2620 wrote to memory of 800	2620	Loader.exe	32
PID 2072 wrote to memory of 1820	2072	Lunacy.exe	33
PID 2072 wrote to memory of 1820	2072	Lunacy.exe	33
PID 2072 wrote to memory of 1820	2072	Lunacy.exe	33
PID 1820 wrote to memory of 2812	1820	client.exe	34
PID 1820 wrote to memory of 2812	1820	client.exe	34
PID 1820 wrote to memory of 2812	1820	client.exe	34
PID 2072 wrote to memory of 2060	2072	Lunacy.exe	35
PID 2072 wrote to memory of 2060	2072	Lunacy.exe	35
PID 2072 wrote to memory of 2060	2072	Lunacy.exe	35
PID 2060 wrote to memory of 1756	2060	lclient.exe	36
PID 2060 wrote to memory of 1756	2060	lclient.exe	36
PID 2060 wrote to memory of 1756	2060	lclient.exe	36

C:\Users\Admin\AppData\Local\Temp\Lunacy.exe
C:\Users\Admin\AppData\Local\Temp\Lunacy.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:800
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\client.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1820 -s 596
    3⤵
    - Loads dropped DLL
    PID:2812
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\lclient.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\lclient.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\lclient.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\lclient.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabC064.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe

Filesize
393KB

MD5
3c4161be295e9e9d019ce68dae82d60a

SHA1
36447fc6418e209dff1bb8a5e576f4d46e3b3296

SHA256
0f6481dabf7871823f259eb95f3b85c37d1de8a7d1884ac77a97d887cf96f75d

SHA512
cfa2d491a5d28beb8eb908d5af61254ac4c4c88e74c53d5d00ae15ef0731df1654304199996545d1074814c0ea8a032957b28d70774f05347616428e667f70e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC096.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
4a060eec454c222a5381cd359dc00b81

SHA1
21e1bc115d04a74779e955ea16a16bd71454d9bb

SHA256
e6b2b05e14a6c6f5381e8f4c7f4fd28a499246fb4c8eafe1f08014b9273d70df

SHA512
16fb1f4ccdad05d07feb62e0cd078401f4023f9fab0fb15e52b927ca413e65eb32c2932ba59dbfa7f7ee0e8a8053748e27f2757e82e600db812271aa44a9433c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\api-ms-win-core-file-l2-1-0.dll

Filesize
20KB

MD5
50abf0a7ee67f00f247bada185a7661c

SHA1
0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1

SHA256
f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7

SHA512
c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
4c26932f8f1f490017add31f5ec0a533

SHA1
0da01a7c89b506fe3fd939344bb51b976efb3207

SHA256
dd3843c2e46b4e926c36150d614efe02ca0ebc1f767f64f471568adc35c2ef23

SHA512
eb2b87d187991fdc8e3a6577f20622d2d4a2a994dd375d8c27e1434ce786596533eacfbde8714db9959d88d6bcb91fdc8079c60c23f0eb920ba45c546a44e523

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
a6776c201baae1dd6f88048d7747d14c

SHA1
646119d2e440e6dad0ffb0fe449ab4fc27f09fbe

SHA256
ee99af71c347ff53c4e15109cb597759e657a3e859d9530680eeea8bb0540112

SHA512
a9137af8529fd96dbba22c5179a16d112ec0bfab9792babe0a9f1cca27408eff73ba89f498cb5f941a5aa44555529ee10484e6ca4a3fbf1627523acfde622b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
10d466341e7ece8cf75b5d026105741b

SHA1
31d1e9b9a4511156695b5aa33d65b6a36f8139c2

SHA256
5ce391edb33c7055e724a4c3cecc64d16ba2aa4724cb99cd5aed00b0cecfbc82

SHA512
8778fd10c7360bd87db048a2b2ca6603455fd8cb4d0e18709f106b55db7cc92e7d6dc45385ff9def445b368376462e7d253442728d5e759faa97299b67a59e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\python311.dll

Filesize
1.6MB

MD5
4fcf14c7837f8b127156b8a558db0bb2

SHA1
8de2711d00bef7b5f2dcf8a2c6871fa1db67cf1f

SHA256
a67df621a383f4ce5a408e0debe3ebc49ffc766d6a1d6d9a7942120b8ec054dc

SHA512
7a6195495b48f66c35b273a2c9d7ff59e96a4180ea8503f31c8b131167c6cdddd8d6fe77388a34096964a73c85eab504281a14ae3d05350cfee5c51d2491cec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\client.exe

Filesize
78KB

MD5
38d14abf3ed05168a0f464c97eb3a2fc

SHA1
b0d53153e6680a7e39d02f6005ca34ef19d8a4f9

SHA256
06304fe64d26a1a7591267c6dc509621705e1c246a685f884f0563ab893ff326

SHA512
d67f0e0c01c4352c8d2b90b8c3bc434e2be66cac68f22adeee7a08cf2e8d4ac806904068fbd2ff712a7a67146827fc9251862e7da36d8a9977d5323ce6f0510f

Download Submit
memory/800-110-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/800-115-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/800-119-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/800-125-0x0000000000A40000-0x0000000000AA8000-memory.dmp

Filesize
416KB

Download
memory/800-113-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/800-112-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/800-107-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/800-111-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/800-108-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/800-109-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1756-970-0x000007FEF5E00000-0x000007FEF63E8000-memory.dmp

Filesize
5.9MB

Download
memory/1756-973-0x000007FEF5E00000-0x000007FEF63E8000-memory.dmp

Filesize
5.9MB

Download
memory/1820-168-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-132-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-127-0x000000013F460000-0x000000013F478000-memory.dmp

Filesize
96KB

Download
memory/1820-126-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

Filesize
4KB

Download
memory/2620-106-0x0000000000A5A000-0x0000000000A5B000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads