discordrat | dc303bf4fc27ed283589c456d5a5b40e9a0bc97ad9e3fcf9c603998491743248 | Triage

Submit
Reports

Overview

overview

Static

static

spoofer/spoofer.exe

windows10-1703-x64

Sharing

General

Target

spoofer.rar
Size

26KB
Sample

240517-ned1xsfb4s
MD5

fc2a2ef98fc4876c0ff4df059d4eefc6
SHA1

48085f379a0601eb521dc7648f58de1b515bbb0a
SHA256

dc303bf4fc27ed283589c456d5a5b40e9a0bc97ad9e3fcf9c603998491743248
SHA512

a7a0008a1f27a9bc11b666cfb2c079fbdadf7f587c3b76f3e41179e4fd4c5ba19c556ec81bcff8df56ebca7dc986bf477b9e392a48d1101bce15fd7a05f3cbf3
SSDEEP

384:5sYejZmEmE7KXX6cQyztVXgrYINy9HpxDpNYyHkgs+2tjPsQOYkb/TErqO085Qmn:5sxl/66Wub6b1s+SzsQkIqUQnW

Score

10^/10

discordrat evasion execution persistence rat rootkit spyware stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

spoofer/spoofer.exe

Resource

win10-20240404-de

discordrat evasion execution persistence rat rootkit spyware stealer

windows10-1703-x64

28 signatures

1800 seconds

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MDcyOTAxNzg4ODUzODY1NA.Grdfmd.TkiEwQyP2bUA1RIGNTE-wkWpyVRP_iGf-NHIsI
server_id
1240883770677264404

Targets

- Target
  
  spoofer/spoofer.exe
- Size
  
  78KB
- MD5
  
  a588fc073017f17b9538be0d7950fe8b
- SHA1
  
  db71c1ad51e13f38c5342fa2c84fa45221176839
- SHA256
  
  5b25158dadc5ac21c99c100eb9c49f86898dc19959e045f131414ee1e52fe2f1
- SHA512
  
  08bdf70710d8e5330f824f971a5585e0b2b3a6516c0a59f5c00fe175b681ecbf25a354c64e1bcb9cb1d5fd0c6401e765355c416e0b860e8da0a4ff72e32ca1f5
- SSDEEP
  
  1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+LPIC:5Zv5PDwbjNrmAE+jIC
Score

10^/10

discordrat evasion execution persistence rat rootkit spyware stealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discordratevasionexecutionpersistenceratrootkitspywarestealer

© 2018-2024

Terms | Privacy