General
-
Target
crazyCore.exe
-
Size
21.8MB
-
Sample
240512-xzqd5afa75
-
MD5
e6f650829d0696bff1fac6d08b4cdf5f
-
SHA1
69e19b885dfc862771e94424a9bf037b484aff67
-
SHA256
bb7d5bba57344040132c5ea0e3f0c503733497d2527bac12d520f24996ba18fb
-
SHA512
77249c6139bcd72a5e018243ebbb3a3c3caeb1a9990b5f7478a425b0ab9d5f56db97a53845c88caff599a136dc8e542e7ef2761cf48a96e3cc1c25871b305d7a
-
SSDEEP
49152:FaMUa/U2bmMjbwsd8CCvpX4AjerBV1RphcNwhIF/7MoxYivZcuLH/vpJBXnv6eSx:P
Malware Config
Extracted
discordrat
-
discord_token
MTIyNzk4ODU3OTk0MzQ0ODY5OA.GEjnSa.rCkhYiVecrt4rcdXOEEhOiD8PNZMRf86EQwBJY
-
server_id
1239256207454109748
Targets
-
-
Target
crazyCore.exe
-
Size
21.8MB
-
MD5
e6f650829d0696bff1fac6d08b4cdf5f
-
SHA1
69e19b885dfc862771e94424a9bf037b484aff67
-
SHA256
bb7d5bba57344040132c5ea0e3f0c503733497d2527bac12d520f24996ba18fb
-
SHA512
77249c6139bcd72a5e018243ebbb3a3c3caeb1a9990b5f7478a425b0ab9d5f56db97a53845c88caff599a136dc8e542e7ef2761cf48a96e3cc1c25871b305d7a
-
SSDEEP
49152:FaMUa/U2bmMjbwsd8CCvpX4AjerBV1RphcNwhIF/7MoxYivZcuLH/vpJBXnv6eSx:P
Score10/10-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender notification settings
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1