discordrat | 8b65d7656d0881a2727ea57981a5b851a6f06a3dbad1f44accbcbf9e0d21ba1b

Analysis

max time kernel
590s
max time network
556s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
14/03/2025, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.exe
Size

200KB
MD5

ac85ff97508f5d096a0b89251bcd5b33
SHA1

cf09f37eb3ab8ab28fced295b7068a5f97124f23
SHA256

0283982b9ca1259e8f2a9d1e650cf7baa7a7d4d939179d634aef8a4a271b2a9a
SHA512

b22e117ce51a1a21cc5dcfb2e1d408dc8cc538228c0d3fc5773e0808523f93cbbbdeba8be7217ccc281adca80a011151e90f1097a824cd61f6063bcd71aa2c5f
SSDEEP

6144:xV28ou9f4wIPuBDnxPMhU3YnOQO9xPOYC12oS:xo3wvhMrO9xm9AoS

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer trojan upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTEwMTIwNjIwODE3NTY3MzUxNA.GxRTwM.GCvslMQeJGlG702rniWyui2HFdhthM9sE98y3E
server_id
1101173030589300938

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation	Builder.exe

Executes dropped EXE 1 IoCs

pid	Process
5936	main.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Desployer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Builder.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Desployer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Builder.exe"	reg.exe

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
3824	certutil.exe
3160	certutil.exe
1076	certutil.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
436	tasklist.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1136-0-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1136-1881-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5760	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	tasklist.exe
Token: SeDebugPrivilege	5936	main.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 5836	1136	Builder.exe	80
PID 1136 wrote to memory of 5836	1136	Builder.exe	80
PID 5836 wrote to memory of 2804	5836	cmd.exe	83
PID 5836 wrote to memory of 2804	5836	cmd.exe	83
PID 5836 wrote to memory of 5788	5836	cmd.exe	84
PID 5836 wrote to memory of 5788	5836	cmd.exe	84
PID 5836 wrote to memory of 5356	5836	cmd.exe	85
PID 5836 wrote to memory of 5356	5836	cmd.exe	85
PID 5836 wrote to memory of 5760	5836	cmd.exe	86
PID 5836 wrote to memory of 5760	5836	cmd.exe	86
PID 5836 wrote to memory of 4428	5836	cmd.exe	87
PID 5836 wrote to memory of 4428	5836	cmd.exe	87
PID 5836 wrote to memory of 2188	5836	cmd.exe	88
PID 5836 wrote to memory of 2188	5836	cmd.exe	88
PID 5836 wrote to memory of 3824	5836	cmd.exe	89
PID 5836 wrote to memory of 3824	5836	cmd.exe	89
PID 5836 wrote to memory of 3160	5836	cmd.exe	90
PID 5836 wrote to memory of 3160	5836	cmd.exe	90
PID 5836 wrote to memory of 1076	5836	cmd.exe	91
PID 5836 wrote to memory of 1076	5836	cmd.exe	91
PID 5836 wrote to memory of 896	5836	cmd.exe	92
PID 5836 wrote to memory of 896	5836	cmd.exe	92
PID 5836 wrote to memory of 436	5836	cmd.exe	94
PID 5836 wrote to memory of 436	5836	cmd.exe	94
PID 5836 wrote to memory of 4360	5836	cmd.exe	95
PID 5836 wrote to memory of 4360	5836	cmd.exe	95
PID 896 wrote to memory of 4912	896	cmd.exe	97
PID 896 wrote to memory of 4912	896	cmd.exe	97
PID 5836 wrote to memory of 5924	5836	cmd.exe	98
PID 5836 wrote to memory of 5924	5836	cmd.exe	98
PID 5836 wrote to memory of 5936	5836	cmd.exe	99
PID 5836 wrote to memory of 5936	5836	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8126.tmp\8127.tmp\8128.bat C:\Users\Admin\AppData\Local\Temp\Builder.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5836
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:2804
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Desployer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Builder.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5788
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Desployer" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Builder.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5356
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /tn "Desployer" /sc onlogon /rl HIGHEST /RU administrator /tr "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5760
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:4428
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
    3⤵
    - UAC bypass
    PID:2188
- - C:\Windows\system32\certutil.exe
    certutil -decode temp.txt main.exe
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:3824
- - C:\Windows\system32\certutil.exe
    certutil -decode temp.txt builder.py
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:3160
- - C:\Windows\system32\certutil.exe
    certutil -decode temp.txt build.bat
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K build.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\system32\mode.com
      mode con: cols=100 lines=30
      4⤵
      PID:4912
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "imagename eq Main.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- - C:\Windows\system32\findstr.exe
    findstr /i "Main.exe"
    3⤵
    PID:4360
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:5924
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    Main.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Deobfuscate/Decode Files or Information

T1140

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8126.tmp\8127.tmp\8128.bat

Filesize
153KB

MD5
06b1f4c1dc6696dca6f41d1544095dd3

SHA1
a1a573ff8350cf00580e7f80a0c1a3b5eae3dc11

SHA256
8816e39795c3a00fe10ad49ea317b1babb48827e4a374a1a8e3f0d9fb1b5fbfc

SHA512
4d9df7a6e766ef4d9d912d05f1b7bcfc7419472388b47009474acec78a1d22a38cafb9c30e2171b5cca6daa6e54a222559867a99b49739745f77c699003fe4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.bat

Filesize
664B

MD5
85857405eca41f5e898322bf94400313

SHA1
f5d0e3170eea75ca0d19e237a9c9becd6e7988a2

SHA256
d26347df3e03141a940477d79848e5322bbdb2a71dc6c603f2d980c862421ab3

SHA512
16f4c957d1d4c07292e3bb0ed75874b7ecad7716bcb134d29a07bfcc96531c6775869996631eb74910d4e32c9513f54345e79fdb65534b2925ff82fefeca36c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
78KB

MD5
89b128970f04bdac02e869530cc6ca9d

SHA1
d64ca1bd7b3e37c371083634d734077fc35556eb

SHA256
0b1f297a18e9acc0bc7a610ea59812a2f20299f2b859826c6dfb4395c64e1537

SHA512
72d7ce321a47b6f56e5b210d616aaa319aa7ba9ac30d5ed2aa5de179b1dc49480d5b8c595a549d335757ad366767d2b7be6d7f7acd58222717425536a2798e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
109KB

MD5
846f8f4c504e1c6624df6a4093f4b7e4

SHA1
caf0f4e5e42f5d71dad29564af301543e5f622fd

SHA256
9dc5d600b3ee1863525e4c45af9a192083243068422865a80f9a8b4d54914675

SHA512
f2c3bcac544b77e76719c8d097c002481d71bfbefb8851c72d01489f167a594c0a0cd91554ccbe6c9a70224a5a6fc862c35353b8024f2f35a4da178669b061e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
4KB

MD5
51fbd5e6e7d9ddcd658aa3b21028ca6c

SHA1
0cd7b082811d58cd7b5ffed7cfd2585a40dd3b9b

SHA256
147d888e354f6b35da674f7b84875a38a809b6f02d3f0e08be4cd48d8e1b690c

SHA512
ec255d8bad7eec514a91297092ccc97ab576f3d991a84a4f157d7f280a3d402167e32ea8c80ec0d3e0a170824af01db3a6f1d900844619b244b964c6a2593c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
7KB

MD5
baeea7e4d407bc89a8da1f9c3932f2e2

SHA1
039b4c1c22d6dd2a068d1d32f7db13be4b9ecf2c

SHA256
b6686625ef88ad5b50edd156de2e0c06726f7b0b0639277405a761954cdd70bf

SHA512
259b529b55c02255a195897830cbcdd3159117835b46fe7742a269d0ad7b20145e94edab7d48b0b7b9091dd9e0a2cfd710540c3ebdd64c223aa8c91e008c891b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
10KB

MD5
297a79e543b74e098e50e67fa3d50971

SHA1
d97f66f336e27e761abfdc6e2eb25156d13ebda6

SHA256
ea3e3add5e9c36393c148fa5033f2d08b16b395e64411204ff70c4347a5b62a5

SHA512
0d123a87a32e5da0d9fc005f190205000b868b844d5f58b36ab1412952d59cd42055cb48b8997c3d4fae951e707f589585e5f40012be0eeb4ec86ea2ba533771

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
10KB

MD5
aafc2ac3e09e7b84486dc597bcd94fbe

SHA1
6819e5e5be614378b7223d35bd45981de72a599f

SHA256
af6301966916fbb9807e4f696be222a6131a435923307396c0bf08a9795d057e

SHA512
cc0ed5aa317ed4d53c6791d5d9c120ca3d91018097541df021629edb85f2abd9cf9ca90e473d32267258fa2f2b317fa66c41691029f90f03d88cbdedeb1a164d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
11KB

MD5
49d9459efd4f5f224f565e2435838c00

SHA1
ef51f1437a75bf8a4f634fda7a459d70c8614176

SHA256
4b46262bb976d378acdb93c645afdfb13f12d761df9957cc922637fb41695dd5

SHA512
4faaa73e819435ccac1061f2f2634c99f2d5c98e01129a85dbc479ccf39468fb32787fa3ca9a566506c43939dc8017899e278401fe8b64869448f3b2493adac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
930B

MD5
d3a281ac54921d6da009f6f606064aad

SHA1
68cc1e926c86f40eff452063b36e06c4e4f253d8

SHA256
c40e41173f74464e05d5d91ccef913b0e869998958e195c0ee3f2edf0888bff8

SHA512
b38c32cda08b4c823e81c621fe6482f3cd65b8fd11202491310993593063f41a9f52399e7fe56c0a9a6f46f78a9448fc4af35a5cac60d5b616e328bb10180723

Download Submit
memory/1136-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1136-1881-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5936-1878-0x000002176AC80000-0x000002176AC98000-memory.dmp

Filesize
96KB

Download
memory/5936-1879-0x000002176D330000-0x000002176D4F2000-memory.dmp

Filesize
1.8MB

Download
memory/5936-1880-0x000002176DB70000-0x000002176E098000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads