discordrat | aa87ea626a27c8bd572ddaf2a60cf2f0bea97a2ba8b6621663b4a3ebfa389455

General

Target

Diavlo Cracked v3.0.sfx.exe
Size

975KB
MD5

64f382968e015e0872cbc6d76f765978
SHA1

3f48e8245d05c5be882febddbb536cf27dc5de53
SHA256

aa87ea626a27c8bd572ddaf2a60cf2f0bea97a2ba8b6621663b4a3ebfa389455
SHA512

0a02603856ef94f251333a055f03bbdc340a57a88f9ba52bf6fb0101bdcc94aa97a6d8f0104fcd222cc22191a14895dc958af272d89d55b5f3b02563cdcf4fdb
SSDEEP

24576:xuDXTIGaPhEYzUzA0/0ecpUpOZhfBoTdIUUYBqLsoP46sJp:kDjlabwz9IAuJqdDUeM46ip

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMDQyNzc0NDMwMzA1ODk4NQ.GwBsnV.DbDqkIByVgiJFZEGnnCEqbRM9oTQOr0FL49leU
server_id
1331769473505689671

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 5 IoCs

pid	Process
2336	Diavlo Cracked v3.0.exe
1412	Diavlo Cracked v3.0.exe
1364	Installer x64.sfx.exe
1836	Installer x64.exe
948	Installer x64.exe

Loads dropped DLL 38 IoCs

pid	Process
1056	Diavlo Cracked v3.0.sfx.exe
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
776	WerFault.exe
776	WerFault.exe
776	WerFault.exe
776	WerFault.exe
776	WerFault.exe
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe
1612	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	Diavlo Cracked v3.0.sfx.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	Diavlo Cracked v3.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	Diavlo Cracked v3.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	Installer x64.sfx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1056	Diavlo Cracked v3.0.sfx.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1056	Diavlo Cracked v3.0.sfx.exe
1056	Diavlo Cracked v3.0.sfx.exe
2336	Diavlo Cracked v3.0.exe
2336	Diavlo Cracked v3.0.exe
1412	Diavlo Cracked v3.0.exe
1412	Diavlo Cracked v3.0.exe
1364	Installer x64.sfx.exe
1364	Installer x64.sfx.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2336	1056	Diavlo Cracked v3.0.sfx.exe	31
PID 1056 wrote to memory of 2336	1056	Diavlo Cracked v3.0.sfx.exe	31
PID 1056 wrote to memory of 2336	1056	Diavlo Cracked v3.0.sfx.exe	31
PID 1836 wrote to memory of 776	1836	Installer x64.exe	38
PID 1836 wrote to memory of 776	1836	Installer x64.exe	38
PID 1836 wrote to memory of 776	1836	Installer x64.exe	38
PID 948 wrote to memory of 1612	948	Installer x64.exe	41
PID 948 wrote to memory of 1612	948	Installer x64.exe	41
PID 948 wrote to memory of 1612	948	Installer x64.exe	41

C:\Users\Admin\AppData\Local\Temp\Diavlo Cracked v3.0.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Diavlo Cracked v3.0.sfx.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\Desktop\Diavlo Cracked v3.0.exe
  "C:\Users\Admin\Desktop\Diavlo Cracked v3.0.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2336

C:\Users\Admin\Desktop\Diavlo Cracked v3.0.exe
"C:\Users\Admin\Desktop\Diavlo Cracked v3.0.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Users\Admin\Desktop\Installer x64.sfx.exe
"C:\Users\Admin\Desktop\Installer x64.sfx.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Users\Admin\Desktop\Installer x64.exe
"C:\Users\Admin\Desktop\Installer x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1836 -s 596
  2⤵
  - Loads dropped DLL
  PID:776

C:\Users\Admin\Desktop\Installer x64.exe
"C:\Users\Admin\Desktop\Installer x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 948 -s 600
  2⤵
  - Loads dropped DLL
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Desktop\Diavlo Cracked v3.0.exe

Filesize
751KB

MD5
d4e3b5fb06cf2577977c45cae287f088

SHA1
8f2006750d3d83f4b56ef3389589b0d1ac111214

SHA256
2469ec096983f7baaf7e4caded30c6daa68b9229e53770df579039b73bbeff94

SHA512
83733d6326d95d28f47b90424f39c2175f8f164216abb5f7aecd2c85ae5cceb1910baadf24fc32b751011bd0691a9eb2ef99447f24b63547de3569427900693e

Download Submit
\Users\Admin\Desktop\Installer x64.exe

Filesize
78KB

MD5
5680fc2ed5ef1a45a9655be2fc2bbd7f

SHA1
52c674d7b062f9b4d99c6f0f6a2dd198fc79b75e

SHA256
42dc804776d2bfddb0a9c5758d657fb5f11952e3feb0418bd803eff8da16fd12

SHA512
cd4683c7517db9ed5acb766ea0d75fbabf14b468ccb3e06a8a7407a2bdbd449d032aff56257f0a1ca6ae8bdfd3d856960ff78d7c3c99a105cab297035f6c5763

Download Submit
\Users\Admin\Desktop\Installer x64.sfx.exe

Filesize
509KB

MD5
e5b03acd6f0cba2e105fde35f561db08

SHA1
05409d60e87319f519c3bca121d04a2ebba5d35f

SHA256
e92793c59ab7f493c8ab90fcf76c3f7a59f5376cd80269d2603dfc8d8fa15f19

SHA512
56361a56f6998b7ca1da5cb538b2cd7f736c8016692893a110f3bff44377b180e136e5a1a78fa224cbde7fab753cb31d2de2ea082b026dc1e1c54621f49f4d20

Download Submit
memory/948-91-0x000000013FCB0000-0x000000013FCC8000-memory.dmp

Filesize
96KB

Download
memory/1836-75-0x000000013F8B0000-0x000000013F8C8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing