discordrat | d0edb846b44e046fee8fea55dba1160e988ccfc947cf51fbb2803ded90268d19 | Triage

Submit
Reports

Overview

overview

Static

static

RobloxPlayer.exe

windows7-x64

RobloxPlayer.exe

windows10-2004-x64

Sharing

General

Target

Roblox_Player.exe
Size

26KB
Sample

240526-cf82xaah7t
MD5

c38ca70397b21fb3958b573f0c646e6e
SHA1

908a9a1b75874e84b5bac5db93d3a3e9dc82bd5f
SHA256

d0edb846b44e046fee8fea55dba1160e988ccfc947cf51fbb2803ded90268d19
SHA512

b47c41315f4195c500aa8080b7587696d9d8608a6197d4cdfd9a478519f5884320379f87f9811e4c7c019f4b83de710610c023893b09455cf436618fdabe5b71
SSDEEP

384:v9YI3WhDBAdQ48ydlErkKxJl3PL5NJqdTP/CytG0xe9O8vSYohyCTh0NU8MVn:vq9BA10P9rJqdT/Cyw0xyO8vSXInNNMV

Score

10^/10

discordrat persistence rat rootkit stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

RobloxPlayer.exe

Resource

win7-20240221-en

discordrat persistence rat rootkit stealer

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

RobloxPlayer.exe

Resource

win10v2004-20240508-en

discordrat persistence rat rootkit stealer

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxNTQyMjc0OTk4ODg4NDU3Mg.G8QiY3.e2k047pCmhPxBH-tdaOfxVTB1BY3dSfZIT_sXY
server_id
1201970766531530822

Targets

- Target
  
  RobloxPlayer.exe.exe
- Size
  
  78KB
- MD5
  
  8f3d0d4044ff8cc1d847687568c91e14
- SHA1
  
  fd9049e0e5c074603b78a2aea228b75e4ce6c099
- SHA256
  
  1c7ffa12df8fc6b0617ddd3e7bf89582154156c803ca2b2df7a6073d43e13dc0
- SHA512
  
  afd8aa0948e588de2bb7d44687afccd5da52e613a06a26bbec862945a3cd1a80423b2e1929256bce23e92bac5b09f27e436c1223583d4507c6782da3d46760e4
- SSDEEP
  
  1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+cPIC:5Zv5PDwbjNrmAE+QIC
Score

10^/10

discordrat persistence rat rootkit stealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discordratpersistenceratrootkitstealer

behavioral2

discordratpersistenceratrootkitstealer

© 2018-2024

Terms | Privacy