discordrat | 398c45daf283a0bb0a57696cac3c2f67fff96d5ea5f0f53a6f1dd7a693a0e22a

General

Target

MainMenu.rbxm
Size

14KB
MD5

570b9b9cd36ee573826296c9c1e24dea
SHA1

69bb3c2b05b2043b53fa2fa25f3c227d3b3c7bbc
SHA256

398c45daf283a0bb0a57696cac3c2f67fff96d5ea5f0f53a6f1dd7a693a0e22a
SHA512

6d59a8fed062a7a95ddeab579e21f2eda37c9c9a635be657bd1122fb57498f20a18deb9fa3434c4d9dad62bf85a1a9a1751e5e21a7a0403863039edd51a39a82
SSDEEP

192:WkV5Yqitq3KfkjaGRCNkjWKARcZizO9Bpy/nw8vJemQQJ:pDaiLRCJKocZiy9Py/nLvJeyJ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyMjY1ODg0NzM1NzkyNzQzNQ.G46owp.2JEzFsoF0sNveJ3Ig7Q_yTdVD59ktO7ZBNMdzw
server_id
1211370597838487562

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2868	2536	cmd.exe	38
PID 2536 wrote to memory of 2868	2536	cmd.exe	38
PID 2536 wrote to memory of 2868	2536	cmd.exe	38
PID 2448 wrote to memory of 1572	2448	FunnyDoxTool.exe	58
PID 2448 wrote to memory of 1572	2448	FunnyDoxTool.exe	58
PID 2448 wrote to memory of 1572	2448	FunnyDoxTool.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MainMenu.rbxm
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MainMenu.rbxm
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1488 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:2
1⤵
PID:524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=1420 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:1
1⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3504 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3668 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=3904 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:1
1⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=3412 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:1
1⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=2152 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:1
1⤵
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2536 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2640 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2740 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2780 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3436 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3620 --field-trial-handle=1308,i,10197954261567952638,15372716637499062392,131072 /prefetch:8
1⤵
PID:2488

C:\Users\Admin\Downloads\FunnyDoxTool.exe
"C:\Users\Admin\Downloads\FunnyDoxTool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2448 -s 596
  2⤵
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2448-24-0x000000013F620000-0x000000013F638000-memory.dmp

Filesize
96KB

Download
memory/2448-25-0x000007FEF2E80000-0x000007FEF386C000-memory.dmp

Filesize
9.9MB

Download
memory/2448-26-0x000000001BD90000-0x000000001BE10000-memory.dmp

Filesize
512KB

Download
memory/2448-27-0x000007FEF2E80000-0x000007FEF386C000-memory.dmp

Filesize
9.9MB

Download
memory/2448-28-0x000007FEF2E80000-0x000007FEF386C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing