discordrat | 8b65d7656d0881a2727ea57981a5b851a6f06a3dbad1f44accbcbf9e0d21ba1b

Analysis

max time kernel
70s
max time network
47s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
14/03/2025, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.exe
Size

200KB
MD5

ac85ff97508f5d096a0b89251bcd5b33
SHA1

cf09f37eb3ab8ab28fced295b7068a5f97124f23
SHA256

0283982b9ca1259e8f2a9d1e650cf7baa7a7d4d939179d634aef8a4a271b2a9a
SHA512

b22e117ce51a1a21cc5dcfb2e1d408dc8cc538228c0d3fc5773e0808523f93cbbbdeba8be7217ccc281adca80a011151e90f1097a824cd61f6063bcd71aa2c5f
SSDEEP

6144:xV28ou9f4wIPuBDnxPMhU3YnOQO9xPOYC12oS:xo3wvhMrO9xm9AoS

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer trojan upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTEwMTIwNjIwODE3NTY3MzUxNA.GxRTwM.GCvslMQeJGlG702rniWyui2HFdhthM9sE98y3E
server_id
1101173030589300938

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation	Builder.exe

Executes dropped EXE 1 IoCs

pid	Process
1172	main.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Desployer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Builder.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Desployer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Builder.exe"	reg.exe

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
3012	certutil.exe
3496	certutil.exe
1720	certutil.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1192	tasklist.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3232-0-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/3232-1881-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4420	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	tasklist.exe
Token: SeDebugPrivilege	1172	main.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 808	3232	Builder.exe	80
PID 3232 wrote to memory of 808	3232	Builder.exe	80
PID 808 wrote to memory of 4440	808	cmd.exe	83
PID 808 wrote to memory of 4440	808	cmd.exe	83
PID 808 wrote to memory of 112	808	cmd.exe	84
PID 808 wrote to memory of 112	808	cmd.exe	84
PID 808 wrote to memory of 3848	808	cmd.exe	85
PID 808 wrote to memory of 3848	808	cmd.exe	85
PID 808 wrote to memory of 4420	808	cmd.exe	86
PID 808 wrote to memory of 4420	808	cmd.exe	86
PID 808 wrote to memory of 5376	808	cmd.exe	87
PID 808 wrote to memory of 5376	808	cmd.exe	87
PID 808 wrote to memory of 5876	808	cmd.exe	88
PID 808 wrote to memory of 5876	808	cmd.exe	88
PID 808 wrote to memory of 3012	808	cmd.exe	89
PID 808 wrote to memory of 3012	808	cmd.exe	89
PID 808 wrote to memory of 3496	808	cmd.exe	90
PID 808 wrote to memory of 3496	808	cmd.exe	90
PID 808 wrote to memory of 1720	808	cmd.exe	91
PID 808 wrote to memory of 1720	808	cmd.exe	91
PID 808 wrote to memory of 3464	808	cmd.exe	92
PID 808 wrote to memory of 3464	808	cmd.exe	92
PID 808 wrote to memory of 1192	808	cmd.exe	94
PID 808 wrote to memory of 1192	808	cmd.exe	94
PID 808 wrote to memory of 3024	808	cmd.exe	95
PID 808 wrote to memory of 3024	808	cmd.exe	95
PID 3464 wrote to memory of 2752	3464	cmd.exe	97
PID 3464 wrote to memory of 2752	3464	cmd.exe	97
PID 808 wrote to memory of 1340	808	cmd.exe	98
PID 808 wrote to memory of 1340	808	cmd.exe	98
PID 808 wrote to memory of 1172	808	cmd.exe	99
PID 808 wrote to memory of 1172	808	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\753F.tmp\7540.tmp\7541.bat C:\Users\Admin\AppData\Local\Temp\Builder.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:4440
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Desployer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Builder.exe" /f
    3⤵
    - Adds Run key to start application
    PID:112
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Desployer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Builder.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3848
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /tn "Desployer" /sc onlogon /rl HIGHEST /RU administrator /tr "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4420
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:5376
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:5876
- - C:\Windows\system32\certutil.exe
    certutil -decode temp.txt main.exe
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:3012
- - C:\Windows\system32\certutil.exe
    certutil -decode temp.txt builder.py
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:3496
- - C:\Windows\system32\certutil.exe
    certutil -decode temp.txt build.bat
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K build.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\system32\mode.com
      mode con: cols=100 lines=30
      4⤵
      PID:2752
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:3024
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:1340
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Deobfuscate/Decode Files or Information

T1140

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\753F.tmp\7540.tmp\7541.bat

Filesize
153KB

MD5
06b1f4c1dc6696dca6f41d1544095dd3

SHA1
a1a573ff8350cf00580e7f80a0c1a3b5eae3dc11

SHA256
8816e39795c3a00fe10ad49ea317b1babb48827e4a374a1a8e3f0d9fb1b5fbfc

SHA512
4d9df7a6e766ef4d9d912d05f1b7bcfc7419472388b47009474acec78a1d22a38cafb9c30e2171b5cca6daa6e54a222559867a99b49739745f77c699003fe4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.bat

Filesize
664B

MD5
85857405eca41f5e898322bf94400313

SHA1
f5d0e3170eea75ca0d19e237a9c9becd6e7988a2

SHA256
d26347df3e03141a940477d79848e5322bbdb2a71dc6c603f2d980c862421ab3

SHA512
16f4c957d1d4c07292e3bb0ed75874b7ecad7716bcb134d29a07bfcc96531c6775869996631eb74910d4e32c9513f54345e79fdb65534b2925ff82fefeca36c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
78KB

MD5
89b128970f04bdac02e869530cc6ca9d

SHA1
d64ca1bd7b3e37c371083634d734077fc35556eb

SHA256
0b1f297a18e9acc0bc7a610ea59812a2f20299f2b859826c6dfb4395c64e1537

SHA512
72d7ce321a47b6f56e5b210d616aaa319aa7ba9ac30d5ed2aa5de179b1dc49480d5b8c595a549d335757ad366767d2b7be6d7f7acd58222717425536a2798e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
109KB

MD5
846f8f4c504e1c6624df6a4093f4b7e4

SHA1
caf0f4e5e42f5d71dad29564af301543e5f622fd

SHA256
9dc5d600b3ee1863525e4c45af9a192083243068422865a80f9a8b4d54914675

SHA512
f2c3bcac544b77e76719c8d097c002481d71bfbefb8851c72d01489f167a594c0a0cd91554ccbe6c9a70224a5a6fc862c35353b8024f2f35a4da178669b061e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
4KB

MD5
a1fb4fb51c6e1f2ded0b20557e9cd39e

SHA1
bff4d82d9b3d1c878390a1fd33f0789d84148193

SHA256
c072be213981e1e335839502e1f56faccebb75c1bbb8b1d5f37729d3deb24593

SHA512
3e245c59dd90fd7ec6e9b1b2e4d4edd105ea7a022d08405805254b936c4def39b21d797807fc8b7586db68117b356ad49fcbcce5a41ae491b4b6a49cfab22138

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
4KB

MD5
dc9bdb1c6d4f66e63e11ab4e6c7b4b78

SHA1
c19b0491c783f9e774964fe18b86fee68a6c0370

SHA256
a6aec085063581c787c3f441d7a90fd433ec021a808d377e396bca0c60e01875

SHA512
b071d948db311cabfcede03c967bbd535d0a6cbbe4ba4242a0b05cd81ca4e7bf5be1f66da5232b338a544af6f432514cc6f28a0c23c855a4c97e71f63c3fc88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
11KB

MD5
49d9459efd4f5f224f565e2435838c00

SHA1
ef51f1437a75bf8a4f634fda7a459d70c8614176

SHA256
4b46262bb976d378acdb93c645afdfb13f12d761df9957cc922637fb41695dd5

SHA512
4faaa73e819435ccac1061f2f2634c99f2d5c98e01129a85dbc479ccf39468fb32787fa3ca9a566506c43939dc8017899e278401fe8b64869448f3b2493adac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
930B

MD5
d3a281ac54921d6da009f6f606064aad

SHA1
68cc1e926c86f40eff452063b36e06c4e4f253d8

SHA256
c40e41173f74464e05d5d91ccef913b0e869998958e195c0ee3f2edf0888bff8

SHA512
b38c32cda08b4c823e81c621fe6482f3cd65b8fd11202491310993593063f41a9f52399e7fe56c0a9a6f46f78a9448fc4af35a5cac60d5b616e328bb10180723

Download Submit
memory/1172-1878-0x00000199C7CF0000-0x00000199C7D08000-memory.dmp

Filesize
96KB

Download
memory/1172-1879-0x00000199E2410000-0x00000199E25D2000-memory.dmp

Filesize
1.8MB

Download
memory/1172-1880-0x00000199E2B10000-0x00000199E3038000-memory.dmp

Filesize
5.2MB

Download
memory/3232-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3232-1881-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads