discordrat | cc4f3f1d1faf2fd2fa35be966948bde128b96a42383059a5e251c1ddde4d5bfb

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-02-2025 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drawing‮gnp.exe
Size

429KB
MD5

8a8feb1deb767a7257ae83e7c8ba50a1
SHA1

d82dc1c082203bcd140084b3692a7ac90d030f79
SHA256

cc4f3f1d1faf2fd2fa35be966948bde128b96a42383059a5e251c1ddde4d5bfb
SHA512

55c594387b33493880a32e9ae9cfe19b9277d724f84f9a5e21656f57adffd2f8de93ae9838b260481c148014ac069083eacbd8170596fc94e370ca656f38ad9f
SSDEEP

12288:1ToPWBv/cpGrU3yyJeRxwwJM47j5xPJl1jrFaGi7w:1TbBv5rUV7k73PJlprFaGi7w

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM0MDIxMTU5ODQ0MjM2NDk1OA.GsPs9e.UKIsMiWYnYj__fIwwzy77n3fU9c1uXNxxH_Jhk
server_id
1340212470987620353

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2964	Client-built.exe

Loads dropped DLL 6 IoCs

pid	Process
2728	drawing‮gnp.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drawing‮gnp.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2964	2728	drawing‮gnp.exe	30
PID 2728 wrote to memory of 2964	2728	drawing‮gnp.exe	30
PID 2728 wrote to memory of 2964	2728	drawing‮gnp.exe	30
PID 2728 wrote to memory of 2964	2728	drawing‮gnp.exe	30
PID 2964 wrote to memory of 2668	2964	Client-built.exe	31
PID 2964 wrote to memory of 2668	2964	Client-built.exe	31
PID 2964 wrote to memory of 2668	2964	Client-built.exe	31

C:\Users\Admin\AppData\Local\Temp\drawing‮gnp.exe
"C:\Users\Admin\AppData\Local\Temp\drawing‮gnp.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2964 -s 600
    3⤵
    - Loads dropped DLL
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
ef3ab93f49ae126ffcb0d03dd93b5875

SHA1
4c1e92011e0d9248ed2adae0d1ceb0eb5d76717b

SHA256
93bbf073730ab12ee5b65842552dd96f9f97befde9e2118c5734162fad2676d9

SHA512
3f159629ad62e66f218684f45dc8718615a8aada9f181446630cc12d26db69b1df0d4b431e2d724a32b4f002097db9aea0f921f826db80e786e33fcbe7452da9

Download Submit
memory/2728-2-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2728-17-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2964-9-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2964-10-0x000000013F9F0000-0x000000013FA08000-memory.dmp

Filesize
96KB

Download
memory/2964-15-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-18-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download