discordrat | afc011779e0cbb0f9e2b86054c457f6a0b0a2dcf4a4df09de013c76ed2b552a1

General

Target

afc011779e0cbb0f9e2b86054c457f6a0b0a2dcf4a4df09de013c76ed2b552a1.exe
Size

814KB
MD5

477c02d117bd27ba71ea23c7e43e11f7
SHA1

945283d198fdf56b286b27951ee6af7c6eb155c0
SHA256

afc011779e0cbb0f9e2b86054c457f6a0b0a2dcf4a4df09de013c76ed2b552a1
SHA512

3097a138b7c850eb70d7639893c8157b5c546db6732fb337c88ae7573f03ec8c504dbd627c8e3e62f7f401a09ec4816e811e15bf9e8146b258f32e588d7a930c
SSDEEP

12288:8LJZSYMYiORE18Uibjk7WqX1ouQgqlzj+znTfipwMPlhaySdXYAbdE7znYYz:8VgY5bGvBQgqzj+3fitP/upYAbszYYz

Score

10^/10

discordrat persistence rat rootkit stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyOTY4MDQ1OTUwMzg5ODYyNA.GrobFq.k-NKOsgA447-8Lu7-dZzPZ88u6DfH4v3Whpvok
server_id
1296062254936096800

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 3 IoCs

pid	Process
2828	Juan.sfx.exe
2656	Juan.exe
2480	backdoor.exe

Loads dropped DLL 8 IoCs

pid	Process
3024	cmd.exe
2828	Juan.sfx.exe
2656	Juan.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1688-0-0x000000013F7C0000-0x000000013F854000-memory.dmp	upx
behavioral1/memory/1688-23-0x000000013F7C0000-0x000000013F854000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2848	1688	afc011779e0cbb0f9e2b86054c457f6a0b0a2dcf4a4df09de013c76ed2b552a1.exe	29
PID 1688 wrote to memory of 2848	1688	afc011779e0cbb0f9e2b86054c457f6a0b0a2dcf4a4df09de013c76ed2b552a1.exe	29
PID 1688 wrote to memory of 2848	1688	afc011779e0cbb0f9e2b86054c457f6a0b0a2dcf4a4df09de013c76ed2b552a1.exe	29
PID 2848 wrote to memory of 3024	2848	cmd.exe	31
PID 2848 wrote to memory of 3024	2848	cmd.exe	31
PID 2848 wrote to memory of 3024	2848	cmd.exe	31
PID 3024 wrote to memory of 2756	3024	cmd.exe	33
PID 3024 wrote to memory of 2756	3024	cmd.exe	33
PID 3024 wrote to memory of 2756	3024	cmd.exe	33
PID 2756 wrote to memory of 2928	2756	net.exe	34
PID 2756 wrote to memory of 2928	2756	net.exe	34
PID 2756 wrote to memory of 2928	2756	net.exe	34
PID 3024 wrote to memory of 2828	3024	cmd.exe	35
PID 3024 wrote to memory of 2828	3024	cmd.exe	35
PID 3024 wrote to memory of 2828	3024	cmd.exe	35
PID 2828 wrote to memory of 2656	2828	Juan.sfx.exe	36
PID 2828 wrote to memory of 2656	2828	Juan.sfx.exe	36
PID 2828 wrote to memory of 2656	2828	Juan.sfx.exe	36
PID 2656 wrote to memory of 2480	2656	Juan.exe	38
PID 2656 wrote to memory of 2480	2656	Juan.exe	38
PID 2656 wrote to memory of 2480	2656	Juan.exe	38
PID 2480 wrote to memory of 960	2480	backdoor.exe	39
PID 2480 wrote to memory of 960	2480	backdoor.exe	39
PID 2480 wrote to memory of 960	2480	backdoor.exe	39

C:\Users\Admin\AppData\Local\Temp\afc011779e0cbb0f9e2b86054c457f6a0b0a2dcf4a4df09de013c76ed2b552a1.exe
"C:\Users\Admin\AppData\Local\Temp\afc011779e0cbb0f9e2b86054c457f6a0b0a2dcf4a4df09de013c76ed2b552a1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\batchstart.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\batch.bat"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\Juan.sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\Juan.sfx.exe" -p"lLF<4C1GFNn.@6))unp&9s" -d"C:\Users\Admin\AppData\Local\Temp\extraido"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Users\Admin\AppData\Local\Temp\extraido\Juan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\extraido\Juan.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2480 -s 596
        7⤵
        Loads dropped DLL
        
        PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\batch.bat

Filesize
1KB

MD5
0e5cb5833b17ae3af261b45de3482256

SHA1
6590098040f8b945ced907e9c453f31efcf48827

SHA256
f1b83777c9710c0b9ec00198d9216bbab3847c31555a4edc7e07cbd0073ea6ad

SHA512
96671f3edd3357e282b4919f9cb953c0976d1110ea2abc0aa7c64a15530a4ba83c4a1d6667294e443202ca19b916c0c5fd8cff7dcaba568fdfbe176eb229195c

Download Submit
C:\Users\Admin\AppData\Local\Temp\batchstart.bat

Filesize
63B

MD5
5fd234db36256f8ec5edbd60799292df

SHA1
c48373d0043d29d3b31a5a25ca49a182ed6418cc

SHA256
7fd6bc3d180252f2745a8c4424aae3ae994331d8d549ff516c8bfdcab4ffa3f3

SHA512
cd7e85307f206034411c80ff9b08a128aa39f96ddde1f2be57ac93d6e8869c4db341c63a9594fd8c752b17d4add0561e9be39f19db1d2c44ada1395d9afcc4da

Download Submit
\Users\Admin\AppData\Local\Temp\Juan.sfx.exe

Filesize
800KB

MD5
3dcb19c134f29d5531f351d561f1c6d5

SHA1
4e30fcbf39ff4311f954c38f56a6f08548864cac

SHA256
ba214782dda2e3c34c250d9e6a84c44cd0e0964413ce2d4648f45ae4b4567d1e

SHA512
f49aa1c43d80f4dc9b662264335fe17b6470536f3170d25b5a0b60d0f7538279f0c56b29221832a16c57e2d30454b47ec22d4527a0b71b6c4779104b01e753c6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
78KB

MD5
1f5898e9c73735d1b6a0a09788977975

SHA1
aab57af016e87ae4dcd54133605492c2ee525823

SHA256
331f8480da06b404a1c70d0c33f32c17ea1b8da71818b6950244dc84c9702d77

SHA512
a91df6388f99b50c47788ab67c7bbe595309eb47eb62de7f4d2e1204f7a86ecb52aad984a9a0b3e3229f4bee95b7042bb7827b475d102088b6a1f4958f7fa6e0

Download Submit
\Users\Admin\AppData\Local\Temp\extraido\Juan.exe

Filesize
611KB

MD5
6c73119afddc5e1b38aef2bea18aa249

SHA1
c71b32baa14d7668c96e612753b1020ce1ff6896

SHA256
17f3feaa7296345ca406ba7e242f577db61df568b281d87e158ce15f7623b588

SHA512
eb98d52b4885c5843db6519bcfdf9be8e70b15aa3524d88ed01a0ab216795de04b9fc482c579a931ccb9ba580d9f4bd00523fa7eb445efea9b4208f6ffd07362

Download Submit
memory/1688-0-0x000000013F7C0000-0x000000013F854000-memory.dmp

Filesize
592KB

Download
memory/1688-23-0x000000013F7C0000-0x000000013F854000-memory.dmp

Filesize
592KB

Download
memory/2480-51-0x000000013FA50000-0x000000013FA68000-memory.dmp

Filesize
96KB

Download
memory/2656-44-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing