discordrat | c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

General

Target

release.zip
Size

445KB
MD5

06a4fcd5eb3a39d7f50a0709de9900db
SHA1

50d089e915f69313a5187569cda4e6dec2d55ca7
SHA256

c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
SHA512

75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b
SSDEEP

12288:BfJ13+GoLo2d5ifXHE8134QwYOwFSFRiLQI:BKGo8EifSQwYWI

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 3 IoCs

pid	Process
3148	builder.exe
2712	Discord rat.exe
4184	builder.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
72	7zFM.exe
72	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
72	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	72	7zFM.exe
Token: 35	72	7zFM.exe
Token: SeSecurityPrivilege	72	7zFM.exe
Token: SeSecurityPrivilege	72	7zFM.exe
Token: SeDebugPrivilege	2712	Discord rat.exe
Token: SeSecurityPrivilege	72	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
72	7zFM.exe
72	7zFM.exe
72	7zFM.exe
72	7zFM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 72 wrote to memory of 3148	72	7zFM.exe	77
PID 72 wrote to memory of 3148	72	7zFM.exe	77
PID 72 wrote to memory of 3148	72	7zFM.exe	77
PID 72 wrote to memory of 2712	72	7zFM.exe	80
PID 72 wrote to memory of 2712	72	7zFM.exe	80
PID 72 wrote to memory of 4184	72	7zFM.exe	81
PID 72 wrote to memory of 4184	72	7zFM.exe	81
PID 72 wrote to memory of 4184	72	7zFM.exe	81

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:72
- C:\Users\Admin\AppData\Local\Temp\7zO840D7D87\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO840D7D87\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3148
- C:\Users\Admin\AppData\Local\Temp\7zO840F7258\Discord rat.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO840F7258\Discord rat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\7zO84027659\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO84027659\builder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\builder.exe.log

Filesize
1KB

MD5
ac45cc773216001c355992d869450b47

SHA1
1f19c3839b521e1bf1ec7928f32f45234f38ea40

SHA256
c9c03abe98c496376975747c9b617f5f6e1b50aec09aa8be31aa24e81254901f

SHA512
3d73620a59089bc05d60ae07f0811ddacd1661599eca096cd9927813f86dc9cebac1de221691373601c743250694de43e408a9e607e813fb28260b1509f84574

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO840D7D87\builder.exe

Filesize
10KB

MD5
4f04f0e1ff050abf6f1696be1e8bb039

SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce

SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO840F7258\Discord rat.exe

Filesize
79KB

MD5
d13905e018eb965ded2e28ba0ab257b5

SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858

SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

Download Submit
memory/2712-36-0x000001A766C10000-0x000001A767138000-memory.dmp

Filesize
5.2MB

Download
memory/2712-35-0x000001A765990000-0x000001A765B52000-memory.dmp

Filesize
1.8MB

Download
memory/2712-34-0x000001A74B220000-0x000001A74B238000-memory.dmp

Filesize
96KB

Download
memory/3148-17-0x0000000074FE0000-0x0000000075791000-memory.dmp

Filesize
7.7MB

Download
memory/3148-18-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download
memory/3148-19-0x0000000074FE0000-0x0000000075791000-memory.dmp

Filesize
7.7MB

Download
memory/3148-21-0x0000000074FE0000-0x0000000075791000-memory.dmp

Filesize
7.7MB

Download
memory/3148-16-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/3148-15-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/3148-14-0x00000000053E0000-0x0000000005986000-memory.dmp

Filesize
5.6MB

Download
memory/3148-13-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/3148-12-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing