discordrat | d0edb846b44e046fee8fea55dba1160e988ccfc947cf51fbb2803ded90268d19

General

Target

RobloxPlayer.exe
Size

78KB
MD5

8f3d0d4044ff8cc1d847687568c91e14
SHA1

fd9049e0e5c074603b78a2aea228b75e4ce6c099
SHA256

1c7ffa12df8fc6b0617ddd3e7bf89582154156c803ca2b2df7a6073d43e13dc0
SHA512

afd8aa0948e588de2bb7d44687afccd5da52e613a06a26bbec862945a3cd1a80423b2e1929256bce23e92bac5b09f27e436c1223583d4507c6782da3d46760e4
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+cPIC:5Zv5PDwbjNrmAE+QIC

Score

10^/10

discordrat evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxNTQyMjc0OTk4ODg4NDU3Mg.G8QiY3.e2k047pCmhPxBH-tdaOfxVTB1BY3dSfZIT_sXY
server_id
1201970766531530822

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Disables Task Manager via registry modification
evasion
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service
T1102

Processes:

flow ioc

8 discord.com
10 discord.com
83 discord.com
84 discord.com
31 discord.com
39 discord.com
41 discord.com
45 discord.com
87 discord.com

flow	ioc
8	discord.com
10	discord.com
83	discord.com
84	discord.com
31	discord.com
39	discord.com
41	discord.com
45	discord.com
87	discord.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

RobloxPlayer.exefirefox.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4400	RobloxPlayer.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: 33	5736	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5736	AUDIODG.EXE
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

firefox.exe

pid process

3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

firefox.exe

pid process

3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
3720 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3720 firefox.exe

pid	process
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe

pid	process
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe

pid	process
3720	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 684 wrote to memory of 3720	684	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 1220	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 4436	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 4436	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 4436	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 4436	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 4436	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 4436	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 4436	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 4436	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 4436	3720	firefox.exe	firefox.exe
PID 3720 wrote to memory of 4436	3720	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:2744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.0.1902406734\552523358" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8bf3688-8e82-41d4-9e0c-e58126be478a} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 1900 140af30e458 gpu
3⤵
PID:1220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.1.1820346344\1158174598" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfd167ad-0970-4101-a8c0-893bda83ff9a} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 2468 140a2588a58 socket
3⤵
PID:4436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.2.24290476\2020883107" -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 2712 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aef17b4d-e472-47a0-a7e8-11d985b197f2} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 3020 140b2205f58 tab
3⤵
PID:4204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.3.969849472\1587648495" -childID 2 -isForBrowser -prefsHandle 3832 -prefMapHandle 3808 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {598d7333-853d-41a0-9f22-60fab064f232} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 3852 140b41cc858 tab
3⤵
PID:4904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.4.626143306\241861432" -childID 3 -isForBrowser -prefsHandle 5000 -prefMapHandle 5096 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7472ade2-fc24-42f3-9d60-433a7fa1f49d} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 5032 140b695e858 tab
3⤵
PID:5292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.5.6646015\237147315" -childID 4 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {490df5a7-6a7b-4009-9c7a-ffd7776cb915} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 5228 140b695f758 tab
3⤵
PID:5300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.6.1938109870\386266570" -childID 5 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {871c06d0-ac6c-4153-b94d-a92e761fb7c0} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 5420 140b6961558 tab
3⤵
PID:5308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.7.554106513\266357780" -childID 6 -isForBrowser -prefsHandle 1652 -prefMapHandle 1636 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7d52fbf-234e-4774-906e-7146b7eda3a1} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 5768 140b5b05058 tab
3⤵
PID:6040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c8 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\activity-stream.discovery_stream.json.tmp
Filesize
29KB

MD5
429ee90d372a78b9df0e5a981f76a1ea

SHA1
47e6a7e0240a4087068724ab830806a4e3929b58

SHA256
7b50b4b3a9d9b9640ca549acc3fab4ea7a80c038f9e1e9c2534ba67d4504ad48

SHA512
852ced01282e662067887b3906ea329fcd4d29a71e3a27da9110b96d7455a9a004b181c9f2767a5fb28322893279082e25f0e955acb7b40347bd21952acfad00

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\1BD06364B17F941101FCC95275213BEB65016BDA
Filesize
60KB

MD5
b0152ce0ec8a69ad0bb001aed5434d5b

SHA1
b416669eaf5dad3164bde8b5052f2c57fd519e38

SHA256
acf5554bd3884d297084b8f8b3e377670e3147ba71b5ba2a1023175860347155

SHA512
33fed50792ef4104cb8cdaef8738fbdfc0a829cc24e9b47e642a08f16f3fa1df8c705f6609ff8ff9ce9f69ece81e6691d3a1349df2aa482713f8e099a121b2f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js
Filesize
7KB

MD5
b9eca33379d3db6c0b93d2649d347e4e

SHA1
396d6edb9a4423d892a5fa0b0e01fca94cd0c02f

SHA256
b5dc99b38bb55fefef4e2da8a871d7986af890ebddfa67ac4f6fbfef8a2c2fc6

SHA512
ad739d454005f45b84a7d70ff29768f505dc111c6782804ecdcf2f64cb0a7e71c58ca4c2a82ec258a388a744c5157a0baf06be1d37bb317ca7a75275ef6f9cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
4a6278b5614af516db34de15c87fdf42

SHA1
737243e7ea33e87be435cafef5dbbd1a7eddba08

SHA256
c9b73ce39d876ddbe81eb028a6e22cc914ecaa8ef06fe96ad4a19f23c69391e6

SHA512
a7e1cbc83815f639f13eab30997433f792326af2006f885103fbd422a510cda6a9cef64b40d409585c27559091503437683c0e1e37960c2815bb3c5538c55b6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
0597436ae297afd864bacce31b905784

SHA1
72123ab666fbe9e1c50407312020a84caf8958f6

SHA256
2ffa3c626be3df81004915f833341b4e8480739f0d70ec8a7764dc45a9eea436

SHA512
7160cd9f8adcf167c33ce5d8ebb6c9c1a83acd8465a79fd27672773297076252a4690ccf57144a786eb8fb5b0b7f2c0a2de4943cb4048389b2d8ed2c9abf701c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
ba88ec472c3d2cbf669dad9b2d74c2cf

SHA1
4c54a957c672e1a4a2dd2f4e6f995d30f8cc2b54

SHA256
131b611c058c183c60ac15b45f5d30f3193e5f7918750ff8652f46f6592ad9ab

SHA512
7f3e94404e45edda429b51919bc327bad8cfb20822a5693eb486678c252326ef2d398a4ac05cbe402a9ade309e6bf3150718a5044070bb4d13767d2ff97163b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
8b597a9d01a3e404e2a7afa664089b08

SHA1
16a02abd97c13d1f865f3e6de37d6bb72ebb2ae9

SHA256
37c2172eea797d43fec2bab9e82ff7040d990bce6c9b6030af9f9f510d24bb89

SHA512
70dabeb46b64b6c342d60754c7fea681bd3a022c904422b172dc0310c49477185b1ab298d8f8a14007e726f053ef95113be5ae8d23e2ab96742368d19dffa5c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
812a7af6dc0ab08b28ccabf8e068fe1a

SHA1
d79fc8ef77f931de644ff4ee40545a960a26db0d

SHA256
53ef220326a6a8cc4bfbb5d245a6a2abd3174e259b996894295ac0fe9b13453f

SHA512
85fe7718c10fc5568279b85291d5cddfbde34280eefca5dc958e5fb168cbef0f93f958c5be2adf81fd765c0fa698177569bfb4b72a9e8df0095bb59c970bc82f

Download Submit
memory/4400-4-0x000002B2E9C60000-0x000002B2EA188000-memory.dmp

Filesize
5.2MB

Download
memory/4400-56-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

Filesize
10.8MB

Download
memory/4400-55-0x000002B2EBC10000-0x000002B2EBCBA000-memory.dmp

Filesize
680KB

Download
memory/4400-52-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

Filesize
10.8MB

Download
memory/4400-51-0x00007FFD4E233000-0x00007FFD4E235000-memory.dmp

Filesize
8KB

Download
memory/4400-141-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

Filesize
10.8MB

Download
memory/4400-1-0x00007FFD4E233000-0x00007FFD4E235000-memory.dmp

Filesize
8KB

Download
memory/4400-3-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

Filesize
10.8MB

Download
memory/4400-2-0x000002B2E9460000-0x000002B2E9622000-memory.dmp

Filesize
1.8MB

Download
memory/4400-0-0x000002B2CED60000-0x000002B2CED78000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads