discordrat | 1609f2384b641b754622bc31d4f060d1b228c5483b7c8943d7da9bcc30a20d68

General

Target

MonoSandbox.dll
Size

2.0MB
MD5

c78fb39a7ae6a1f04994f56fd4ef125a
SHA1

de45ca59c702592023e887d8891906588f9ce321
SHA256

1609f2384b641b754622bc31d4f060d1b228c5483b7c8943d7da9bcc30a20d68
SHA512

26e3dff7b56b244b8087a7b37180e4d9576db4adc7ec795f803933ea014da11d6fc98f92a71fe6ce38d112994f4d0bf0ba7a80d9a4c9b8f345bcd79d08869d64
SSDEEP

49152:vLKJDi4VCXFmB7MGR+E3drWg+xXjGOA5JkWcwX:vL+zVuSIpxXjGOA5RH

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxNDk2ODAxOTM2NTc4OTcyNg.GvLohy.WZ6PeA9KxhhB7TmZ7Wzs_9IiYzzK2iaEE4ONaU
server_id
1214966744804892762

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
246	discord.com
250	discord.com
272	discord.com
274	discord.com
245	discord.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5904	chrome.exe
5904	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
692	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	5952	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5952	AUDIODG.EXE
Token: SeDebugPrivilege	5936	ii's stupid gui menu.exe
Token: SeDebugPrivilege	2460	ii's stupid gui menu.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MonoSandbox.dll,#1
1⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc71449758,0x7ffc71449768,0x7ffc71449778
1⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:2
1⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:1
1⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:1
1⤵
PID:860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4696 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:1
1⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5292 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=2712 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:1
1⤵
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:5756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=4988 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:1
1⤵
PID:5928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=2796 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:1
1⤵
PID:6068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=856 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:340

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=5952 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:1
1⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1808 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4744 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5604 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4180 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:8
1⤵
PID:3988

C:\Users\Admin\Downloads\ii's stupid gui menu.exe
"C:\Users\Admin\Downloads\ii's stupid gui menu.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6052

C:\Users\Admin\Downloads\ii's stupid gui menu.exe
"C:\Users\Admin\Downloads\ii's stupid gui menu.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5428 --field-trial-handle=1880,i,9143875669365116606,10459578432526370437,131072 /prefetch:2
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4cd24ba1a7cc20287d9b2f8643499ca5

SHA1
9f08774d2c580939a5021e198e55917eac4b2712

SHA256
810c7b38ea1f381bba05a211095573fcd5ad9cacac512f68eede6e75725b2149

SHA512
77516c5f006d68c789a541587e2b7e99bc63f03c3556af66e9a178d5df65760e54767b7c00d9955748598a8268f9ef54d239d89459e76a803214cd0735f53b0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
94cac0643bcceef08a7c34fb32fd8102

SHA1
fa265e5457ddac477a07b45677a04db616107e53

SHA256
ecc8690f95d95019dbbe41b2e4f486c4b6f4a842fb3ab9f34399d455066737f9

SHA512
b0c0480b921ab12cdb20752692eebe2788d8e702fa02ab6950a710097d4894b217b2f0415768395ef19187fdc3666e235dc51107feddb6ea529850b6081dbc8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b7abf27460c56c1d9b86e252feead720

SHA1
8e74466ab4a15b5c635934884d7a9e5f3ef41017

SHA256
b667b42300baa56b3e20d49a27d55631a76aafe32462e8c1670ece60722953af

SHA512
b4bf38b823c904980ea63f2b2f48d7a4ce1d0ce5b0982962620591d94896e2232150a538cfc26b7e3ee6391a3483b5e66991bb1293bbdf030c466d646c9991a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
468fc6c793c902ee0b106d46b94262c0

SHA1
329f97f7b2c1d0b16bbf95281379e31a6821b78c

SHA256
09b825cfd4232e7a9c5b517896d45d731d39c8cfb54f2f115ee8a7f40b530605

SHA512
e46710dbc6964e2c77b99788264c9b0da92fe8268540ce49b1ba56f25c402e20c38373e60ef489d9be6cd1abee0a7b3d5fdbab449b384476e1d02d439ab64a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1397de2cd419d857d1bb6a47098f1c0f

SHA1
2db40e95280fdd62a4707e89586b40b1e38e056a

SHA256
d49917e289f75e1c8363ef01633ac4fdc3e67370c90bf75d2ced273a422d1674

SHA512
eb0f6580836766cd2ec265b90d87e37d752b56061167d9e4f2ed5b6dc854feb24650cf454bc34dcbd5362e05370ebfbb26a6d1022a28397578ce2f8d461db8ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a8105c12a65d8c74e48f2ee6cc84ff08

SHA1
d80b1879498ed7aea56b9af7fc1f9d0019e67eac

SHA256
b483cc0f52667d82be1046816a8a8717646949dad3275e8e841c0319eac98b5a

SHA512
55a64ef7b0399237cd4b1a4212c12d3d4253bbcbb8def9040526bb1af78afc84963ecef052329e533b8c8ba4b79c0a3e16eed2ed0ebc9d799011079b268a58a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5872bb8b6f4aaa1b3e7f302b693719b9

SHA1
ff13e1272d668890c3c1b671d2022be237b68aac

SHA256
2d645f6e1cef798f31daabf977aa3e039670fe5cdf9fac1a94e12decec618e30

SHA512
07a87a6b0dc23926babf25aede66b5dc4d13049473e836b73cbf4c0509d77c3385aa2014bcffa68e5478a3d308fec26f51ca446ec0792312f52bc572e489a9a4

Download Submit
memory/2460-104-0x00007FFC6AD50000-0x00007FFC6B811000-memory.dmp

Filesize
10.8MB

Download
memory/2460-110-0x000001A2D5E40000-0x000001A2D5E50000-memory.dmp

Filesize
64KB

Download
memory/2460-109-0x00007FFC6AD50000-0x00007FFC6B811000-memory.dmp

Filesize
10.8MB

Download
memory/2460-106-0x000001A2D5E40000-0x000001A2D5E50000-memory.dmp

Filesize
64KB

Download
memory/5936-82-0x0000021DFA760000-0x0000021DFA778000-memory.dmp

Filesize
96KB

Download
memory/5936-105-0x0000021DFD120000-0x0000021DFD130000-memory.dmp

Filesize
64KB

Download
memory/5936-103-0x00007FFC6AD50000-0x00007FFC6B811000-memory.dmp

Filesize
10.8MB

Download
memory/5936-86-0x0000021DFD660000-0x0000021DFDB88000-memory.dmp

Filesize
5.2MB

Download
memory/5936-84-0x00007FFC6AD50000-0x00007FFC6B811000-memory.dmp

Filesize
10.8MB

Download
memory/5936-85-0x0000021DFD120000-0x0000021DFD130000-memory.dmp

Filesize
64KB

Download
memory/5936-83-0x0000021DFCD60000-0x0000021DFCF22000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing