discordrat | b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66e

General

Target

b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe
Size

814KB
MD5

48ca005cfd24d02863924efc340667e0
SHA1

5360967a58950f6b4fdbac45326878f4097d261a
SHA256

b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66e
SHA512

50c1475a7c3985b4712ef7ced0c8385a5c0f0431fe115df9c2f4e2dc10e00b40bce39305ea71d89f5c63b0ad3bfdf69996925a60dc2260c62cd8c540637cf90e
SSDEEP

12288:8LJZSYMYiORE18Uibjk7WqX1ouQgqlzj+znTfipwMPlhaySdXYAbdE7znYYT:8VgY5bGvBQgqzj+3fitP/upYAbszYYT

Score

10^/10

discordrat persistence rat rootkit stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyOTY4MDQ1OTUwMzg5ODYyNA.GrobFq.k-NKOsgA447-8Lu7-dZzPZ88u6DfH4v3Whpvok
server_id
1296062254936096800

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 3 IoCs

pid	Process
2368	Juan.sfx.exe
2608	Juan.exe
2468	backdoor.exe

Loads dropped DLL 8 IoCs

pid	Process
1948	cmd.exe
2368	Juan.sfx.exe
2608	Juan.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1912-0-0x000000013F490000-0x000000013F524000-memory.dmp	upx
behavioral1/memory/1912-23-0x000000013F490000-0x000000013F524000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2536	1912	b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe	28
PID 1912 wrote to memory of 2536	1912	b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe	28
PID 1912 wrote to memory of 2536	1912	b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe	28
PID 2536 wrote to memory of 1948	2536	cmd.exe	30
PID 2536 wrote to memory of 1948	2536	cmd.exe	30
PID 2536 wrote to memory of 1948	2536	cmd.exe	30
PID 1948 wrote to memory of 2236	1948	cmd.exe	32
PID 1948 wrote to memory of 2236	1948	cmd.exe	32
PID 1948 wrote to memory of 2236	1948	cmd.exe	32
PID 2236 wrote to memory of 2232	2236	net.exe	33
PID 2236 wrote to memory of 2232	2236	net.exe	33
PID 2236 wrote to memory of 2232	2236	net.exe	33
PID 1948 wrote to memory of 2368	1948	cmd.exe	34
PID 1948 wrote to memory of 2368	1948	cmd.exe	34
PID 1948 wrote to memory of 2368	1948	cmd.exe	34
PID 2368 wrote to memory of 2608	2368	Juan.sfx.exe	35
PID 2368 wrote to memory of 2608	2368	Juan.sfx.exe	35
PID 2368 wrote to memory of 2608	2368	Juan.sfx.exe	35
PID 2608 wrote to memory of 2468	2608	Juan.exe	37
PID 2608 wrote to memory of 2468	2608	Juan.exe	37
PID 2608 wrote to memory of 2468	2608	Juan.exe	37
PID 2468 wrote to memory of 3040	2468	backdoor.exe	38
PID 2468 wrote to memory of 3040	2468	backdoor.exe	38
PID 2468 wrote to memory of 3040	2468	backdoor.exe	38

C:\Users\Admin\AppData\Local\Temp\b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe
"C:\Users\Admin\AppData\Local\Temp\b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\batchstart.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\batch.bat"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\Juan.sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\Juan.sfx.exe" -p"lLF<4C1GFNn.@6))unp&9s" -d"C:\Users\Admin\AppData\Local\Temp\extraido"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\extraido\Juan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\extraido\Juan.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2468 -s 596
        7⤵
        Loads dropped DLL
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
78KB

MD5
1f5898e9c73735d1b6a0a09788977975

SHA1
aab57af016e87ae4dcd54133605492c2ee525823

SHA256
331f8480da06b404a1c70d0c33f32c17ea1b8da71818b6950244dc84c9702d77

SHA512
a91df6388f99b50c47788ab67c7bbe595309eb47eb62de7f4d2e1204f7a86ecb52aad984a9a0b3e3229f4bee95b7042bb7827b475d102088b6a1f4958f7fa6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\batch.bat

Filesize
1KB

MD5
0e5cb5833b17ae3af261b45de3482256

SHA1
6590098040f8b945ced907e9c453f31efcf48827

SHA256
f1b83777c9710c0b9ec00198d9216bbab3847c31555a4edc7e07cbd0073ea6ad

SHA512
96671f3edd3357e282b4919f9cb953c0976d1110ea2abc0aa7c64a15530a4ba83c4a1d6667294e443202ca19b916c0c5fd8cff7dcaba568fdfbe176eb229195c

Download Submit
C:\Users\Admin\AppData\Local\Temp\batchstart.bat

Filesize
63B

MD5
5fd234db36256f8ec5edbd60799292df

SHA1
c48373d0043d29d3b31a5a25ca49a182ed6418cc

SHA256
7fd6bc3d180252f2745a8c4424aae3ae994331d8d549ff516c8bfdcab4ffa3f3

SHA512
cd7e85307f206034411c80ff9b08a128aa39f96ddde1f2be57ac93d6e8869c4db341c63a9594fd8c752b17d4add0561e9be39f19db1d2c44ada1395d9afcc4da

Download Submit
\Users\Admin\AppData\Local\Temp\Juan.sfx.exe

Filesize
800KB

MD5
3dcb19c134f29d5531f351d561f1c6d5

SHA1
4e30fcbf39ff4311f954c38f56a6f08548864cac

SHA256
ba214782dda2e3c34c250d9e6a84c44cd0e0964413ce2d4648f45ae4b4567d1e

SHA512
f49aa1c43d80f4dc9b662264335fe17b6470536f3170d25b5a0b60d0f7538279f0c56b29221832a16c57e2d30454b47ec22d4527a0b71b6c4779104b01e753c6

Download Submit
\Users\Admin\AppData\Local\Temp\extraido\Juan.exe

Filesize
611KB

MD5
6c73119afddc5e1b38aef2bea18aa249

SHA1
c71b32baa14d7668c96e612753b1020ce1ff6896

SHA256
17f3feaa7296345ca406ba7e242f577db61df568b281d87e158ce15f7623b588

SHA512
eb98d52b4885c5843db6519bcfdf9be8e70b15aa3524d88ed01a0ab216795de04b9fc482c579a931ccb9ba580d9f4bd00523fa7eb445efea9b4208f6ffd07362

Download Submit
memory/1912-0-0x000000013F490000-0x000000013F524000-memory.dmp

Filesize
592KB

Download
memory/1912-23-0x000000013F490000-0x000000013F524000-memory.dmp

Filesize
592KB

Download
memory/2468-51-0x000000013F0D0000-0x000000013F0E8000-memory.dmp

Filesize
96KB

Download
memory/2608-44-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing