discordrat | b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66e

General

Target

b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe
Size

814KB
MD5

48ca005cfd24d02863924efc340667e0
SHA1

5360967a58950f6b4fdbac45326878f4097d261a
SHA256

b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66e
SHA512

50c1475a7c3985b4712ef7ced0c8385a5c0f0431fe115df9c2f4e2dc10e00b40bce39305ea71d89f5c63b0ad3bfdf69996925a60dc2260c62cd8c540637cf90e
SSDEEP

12288:8LJZSYMYiORE18Uibjk7WqX1ouQgqlzj+znTfipwMPlhaySdXYAbdE7znYYT:8VgY5bGvBQgqzj+3fitP/upYAbszYYT

Score

10^/10

discordrat persistence rat rootkit stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyOTY4MDQ1OTUwMzg5ODYyNA.GrobFq.k-NKOsgA447-8Lu7-dZzPZ88u6DfH4v3Whpvok
server_id
1296062254936096800

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Juan.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Juan.exe

Executes dropped EXE 3 IoCs

pid	Process
4384	Juan.sfx.exe
2496	Juan.exe
4416	backdoor.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2052-0-0x00007FF76ABC0000-0x00007FF76AC54000-memory.dmp	upx
behavioral2/memory/2052-12-0x00007FF76ABC0000-0x00007FF76AC54000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	backdoor.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 3632	2052	b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe	82
PID 2052 wrote to memory of 3632	2052	b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe	82
PID 3632 wrote to memory of 2776	3632	cmd.exe	85
PID 3632 wrote to memory of 2776	3632	cmd.exe	85
PID 2776 wrote to memory of 3780	2776	cmd.exe	87
PID 2776 wrote to memory of 3780	2776	cmd.exe	87
PID 3780 wrote to memory of 4228	3780	net.exe	88
PID 3780 wrote to memory of 4228	3780	net.exe	88
PID 2776 wrote to memory of 4384	2776	cmd.exe	89
PID 2776 wrote to memory of 4384	2776	cmd.exe	89
PID 4384 wrote to memory of 2496	4384	Juan.sfx.exe	90
PID 4384 wrote to memory of 2496	4384	Juan.sfx.exe	90
PID 2496 wrote to memory of 4416	2496	Juan.exe	91
PID 2496 wrote to memory of 4416	2496	Juan.exe	91

C:\Users\Admin\AppData\Local\Temp\b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe
"C:\Users\Admin\AppData\Local\Temp\b3f4f9e818ad28ddf5b0da3584e551b8df8e2fb2c1fecaf91fb5595f1693f66eN.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\batchstart.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\batch.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\Juan.sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\Juan.sfx.exe" -p"lLF<4C1GFNn.@6))unp&9s" -d"C:\Users\Admin\AppData\Local\Temp\extraido"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Users\Admin\AppData\Local\Temp\extraido\Juan.exe
        
        "C:\Users\Admin\AppData\Local\Temp\extraido\Juan.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Juan.sfx.exe

Filesize
800KB

MD5
3dcb19c134f29d5531f351d561f1c6d5

SHA1
4e30fcbf39ff4311f954c38f56a6f08548864cac

SHA256
ba214782dda2e3c34c250d9e6a84c44cd0e0964413ce2d4648f45ae4b4567d1e

SHA512
f49aa1c43d80f4dc9b662264335fe17b6470536f3170d25b5a0b60d0f7538279f0c56b29221832a16c57e2d30454b47ec22d4527a0b71b6c4779104b01e753c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
78KB

MD5
1f5898e9c73735d1b6a0a09788977975

SHA1
aab57af016e87ae4dcd54133605492c2ee525823

SHA256
331f8480da06b404a1c70d0c33f32c17ea1b8da71818b6950244dc84c9702d77

SHA512
a91df6388f99b50c47788ab67c7bbe595309eb47eb62de7f4d2e1204f7a86ecb52aad984a9a0b3e3229f4bee95b7042bb7827b475d102088b6a1f4958f7fa6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\batch.bat

Filesize
1KB

MD5
0e5cb5833b17ae3af261b45de3482256

SHA1
6590098040f8b945ced907e9c453f31efcf48827

SHA256
f1b83777c9710c0b9ec00198d9216bbab3847c31555a4edc7e07cbd0073ea6ad

SHA512
96671f3edd3357e282b4919f9cb953c0976d1110ea2abc0aa7c64a15530a4ba83c4a1d6667294e443202ca19b916c0c5fd8cff7dcaba568fdfbe176eb229195c

Download Submit
C:\Users\Admin\AppData\Local\Temp\batchstart.bat

Filesize
63B

MD5
5fd234db36256f8ec5edbd60799292df

SHA1
c48373d0043d29d3b31a5a25ca49a182ed6418cc

SHA256
7fd6bc3d180252f2745a8c4424aae3ae994331d8d549ff516c8bfdcab4ffa3f3

SHA512
cd7e85307f206034411c80ff9b08a128aa39f96ddde1f2be57ac93d6e8869c4db341c63a9594fd8c752b17d4add0561e9be39f19db1d2c44ada1395d9afcc4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\extraido\Juan.exe

Filesize
611KB

MD5
6c73119afddc5e1b38aef2bea18aa249

SHA1
c71b32baa14d7668c96e612753b1020ce1ff6896

SHA256
17f3feaa7296345ca406ba7e242f577db61df568b281d87e158ce15f7623b588

SHA512
eb98d52b4885c5843db6519bcfdf9be8e70b15aa3524d88ed01a0ab216795de04b9fc482c579a931ccb9ba580d9f4bd00523fa7eb445efea9b4208f6ffd07362

Download Submit
memory/2052-0-0x00007FF76ABC0000-0x00007FF76AC54000-memory.dmp

Filesize
592KB

Download
memory/2052-12-0x00007FF76ABC0000-0x00007FF76AC54000-memory.dmp

Filesize
592KB

Download
memory/4416-43-0x00000184DF8D0000-0x00000184DF8E8000-memory.dmp

Filesize
96KB

Download
memory/4416-44-0x00000184F9E80000-0x00000184FA042000-memory.dmp

Filesize
1.8MB

Download
memory/4416-45-0x00000184FA680000-0x00000184FABA8000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing