General

  • Target

    https://cdn.discordapp.com/attachments/1229097803268227114/1229105302264217681/free_robux.exe?ex=662e7883&is=661c0383&hm=e22f9ad8f9b39c1d906eebb9108b395a29786544df365f91714a0fe93dff0c1b&

  • Sample

    240414-vceb8sab34

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTA2ODI0MTMyMDk4MTgyNzU5NA.GDi6tE.t2T-c9UBEtvdju9XJt2A5HWfqJ2wasQ2apTfdg

  • server_id

    1068241914974974063

Targets

    • Target

      https://cdn.discordapp.com/attachments/1229097803268227114/1229105302264217681/free_robux.exe?ex=662e7883&is=661c0383&hm=e22f9ad8f9b39c1d906eebb9108b395a29786544df365f91714a0fe93dff0c1b&

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks