discordrat | d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/02/2025, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe
Size

391KB
MD5

ed019318b08c6ec18086e3d8cc8ed4a0
SHA1

c5b76f566ed8808d74a12766addbbb010fbe3aca
SHA256

d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9
SHA512

dc05444db94d51bc6a9cd4479e6ffe24fcd5dc6bd551219e67d05641b47da1be0691a3ff5a557f1cd5bc9d1688b3b50fb5fcef1d23ae8def28e61c66a33206ab
SSDEEP

6144:7E+yclwQKjdn+WPtYVJIoBfYo/eyd8/tbrIQ7Oi9Ku:7BdlwHRn+WlYV+RVz/Nr17J

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxNzUwNjY0NjkzMDYyMDQ5Ng.GNBK2Y.upogfQP8BcmxvUWnTPh9TiKyGPCxMpHGHpJtR0
server_id
1317507198582128671

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2784	rar.exe

Loads dropped DLL 6 IoCs

pid	Process
2668	d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2680	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2680	DllHost.exe
2680	DllHost.exe
2680	DllHost.exe
2680	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2784	2668	d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe	31
PID 2668 wrote to memory of 2784	2668	d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe	31
PID 2668 wrote to memory of 2784	2668	d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe	31
PID 2668 wrote to memory of 2784	2668	d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe	31
PID 2784 wrote to memory of 2780	2784	rar.exe	32
PID 2784 wrote to memory of 2780	2784	rar.exe	32
PID 2784 wrote to memory of 2780	2784	rar.exe	32

C:\Users\Admin\AppData\Local\Temp\d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe
"C:\Users\Admin\AppData\Local\Temp\d5034f65d36b31997ad2e15cd0e10c72ded654c099ef307984c4da937767e4a9N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2784 -s 604
    3⤵
    - Loads dropped DLL
    PID:2780

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\screenshot.png

Filesize
16KB

MD5
606613cc1965ecf6ec7b42d94efcb2cd

SHA1
84e848b5958b7352b3c748bc56db99ea07eb23d2

SHA256
b5f36538eb0dde089abec9b880c153d6216b8fdbc3941f3396ef6a68c105cad6

SHA512
f876d6b0b02505fc835a7a048f90bdfd3ff31682a4e84acc58dbb4c4255be030c1bb8fbc7c822f6f6b9c46061fb4716bae9d98cff9217155a5cd841294e6ab7b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe

Filesize
78KB

MD5
928b34327061b09e7e40759d04363eeb

SHA1
a1e5715f0e0d054d654dcc6746b37c9a60f9ccfe

SHA256
ea72c77769e394a017c08af3640c090d4216495d730f2612e8729d933589460c

SHA512
62b8bd581583f872f4df5b2ffd999a31b6d98c6aa16ae522d02e2124995d5d4a4253e459b31af55abaaffd4e0d6bf373b5cc2b4b5269053994629f5ef82c2250

Download Submit
memory/2668-4-0x0000000002380000-0x0000000002382000-memory.dmp

Filesize
8KB

Download
memory/2680-5-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/2680-7-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2680-20-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2784-13-0x000000013FA40000-0x000000013FA58000-memory.dmp

Filesize
96KB

Download