discordrat | hxxps://github[.]com/NeverLoseAntiRecoil/R6-Undetectable-ESP-Walls/blob/main/R6%20ESP%20and%20Walls%20(Undetectable)[.]exe

General

Target

https://github.com/NeverLoseAntiRecoil/R6-Undetectable-ESP-Walls/blob/main/R6%20ESP%20and%20Walls%20(Undetectable).exe

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwOTk2OTg5NTMwMzgwNzAwNg.GsD3Ph.KmEMjav18zYTTxA77m5b-xgWlcbY2cXysoj7zA
server_id
1209970293972664340

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

flow	ioc
126	raw.githubusercontent.com
164	discord.com
190	discord.com
192	discord.com
206	raw.githubusercontent.com
219	discord.com
226	raw.githubusercontent.com
162	discord.com
169	discord.com
207	raw.githubusercontent.com
218	discord.com
127	raw.githubusercontent.com
128	raw.githubusercontent.com
208	discord.com
209	discord.com
216	discord.com
221	discord.com
163	discord.com
170	discord.com

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	R6 ESP and Walls (Undetectable) (1).exe
Token: SeDebugPrivilege	5128	R6 ESP and Walls (Undetectable) (1).exe
Token: SeDebugPrivilege	5972	R6 ESP and Walls (Undetectable) (1).exe
Token: SeDebugPrivilege	404	R6 ESP and Walls (Undetectable) (1).exe
Token: SeDebugPrivilege	4080	R6 ESP and Walls (Undetectable) (1).exe
Token: SeDebugPrivilege	804	R6 ESP and Walls (Undetectable) (1).exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NeverLoseAntiRecoil/R6-Undetectable-ESP-Walls/blob/main/R6%20ESP%20and%20Walls%20(Undetectable).exe
1⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4204 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1
1⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3600 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1
1⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5112 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4824 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1
1⤵
PID:2544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5332 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5956 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5332 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1
1⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6264 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6660 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4496

C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe
"C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe
"C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6728 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5504 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:5928

C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe
"C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5972

C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe
"C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe
"C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe
"C:\Users\Admin\Downloads\R6 ESP and Walls (Undetectable) (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-19-0x00000255F0330000-0x00000255F0340000-memory.dmp

Filesize
64KB

Download
memory/404-18-0x00007FF891F20000-0x00007FF8929E1000-memory.dmp

Filesize
10.8MB

Download
memory/404-24-0x00007FF891F20000-0x00007FF8929E1000-memory.dmp

Filesize
10.8MB

Download
memory/804-23-0x0000020FD6FE0000-0x0000020FD6FF0000-memory.dmp

Filesize
64KB

Download
memory/804-22-0x00007FF891F20000-0x00007FF8929E1000-memory.dmp

Filesize
10.8MB

Download
memory/4080-20-0x00007FF891F20000-0x00007FF8929E1000-memory.dmp

Filesize
10.8MB

Download
memory/4080-21-0x0000029BBA050000-0x0000029BBA060000-memory.dmp

Filesize
64KB

Download
memory/4692-3-0x000001FE36E50000-0x000001FE36E60000-memory.dmp

Filesize
64KB

Download
memory/4692-8-0x000001FE36E50000-0x000001FE36E60000-memory.dmp

Filesize
64KB

Download
memory/4692-7-0x00007FF891F20000-0x00007FF8929E1000-memory.dmp

Filesize
10.8MB

Download
memory/4692-0-0x000001FE1C980000-0x000001FE1C998000-memory.dmp

Filesize
96KB

Download
memory/4692-4-0x000001FE38510000-0x000001FE38A38000-memory.dmp

Filesize
5.2MB

Download
memory/4692-2-0x000001FE36F50000-0x000001FE37112000-memory.dmp

Filesize
1.8MB

Download
memory/4692-1-0x00007FF891F20000-0x00007FF8929E1000-memory.dmp

Filesize
10.8MB

Download
memory/5128-6-0x0000022BA8A90000-0x0000022BA8AA0000-memory.dmp

Filesize
64KB

Download
memory/5128-10-0x0000022BA8A90000-0x0000022BA8AA0000-memory.dmp

Filesize
64KB

Download
memory/5128-9-0x00007FF891F20000-0x00007FF8929E1000-memory.dmp

Filesize
10.8MB

Download
memory/5128-5-0x00007FF891F20000-0x00007FF8929E1000-memory.dmp

Filesize
10.8MB

Download
memory/5972-15-0x00000146CBD60000-0x00000146CBD7E000-memory.dmp

Filesize
120KB

Download
memory/5972-16-0x00007FF891F20000-0x00007FF8929E1000-memory.dmp

Filesize
10.8MB

Download
memory/5972-17-0x00000146CBD90000-0x00000146CBDA0000-memory.dmp

Filesize
64KB

Download
memory/5972-14-0x00000146B3450000-0x00000146B3462000-memory.dmp

Filesize
72KB

Download
memory/5972-13-0x00000146CCDC0000-0x00000146CCE36000-memory.dmp

Filesize
472KB

Download
memory/5972-12-0x00000146CBD90000-0x00000146CBDA0000-memory.dmp

Filesize
64KB

Download
memory/5972-11-0x00007FF891F20000-0x00007FF8929E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing