discordrat | 540611034c0489b1b4e2822b692bff7167369ceaea4bfd334aeaa33e0ae6ae6e | Triage

Sharing

General

Target

540611034c0489b1b4e2822b692bff7167369ceaea4bfd334aeaa33e0ae6ae6e
Size

78KB
Sample

240603-he5kzsgb98
MD5

a2da8356ef064960ab8dd09372627a58
SHA1

2edb364315b7f1a5ee652e015a1316c6640d2d2b
SHA256

540611034c0489b1b4e2822b692bff7167369ceaea4bfd334aeaa33e0ae6ae6e
SHA512

9e4770e0d3a9404ea78d532b08e4b70c1be77fcd5797601fb17c18e45b991c10407c595a52ca361affd6bffeb476cdbcba184dd07142f10d74f23c4f357b6ace
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+KPIC:5Zv5PDwbjNrmAE+WIC

Score

10^/10

discordrat evasion execution persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NjMwMTQ1MjQwNjc1MTI0Mg.GoEe4D.Ukxxcg2g6oiBh3IEoYa6C5FTUz1iU45J3sp1bU
server_id
1246300545325727776

Targets

- Target
  
  540611034c0489b1b4e2822b692bff7167369ceaea4bfd334aeaa33e0ae6ae6e
- Size
  
  78KB
- MD5
  
  a2da8356ef064960ab8dd09372627a58
- SHA1
  
  2edb364315b7f1a5ee652e015a1316c6640d2d2b
- SHA256
  
  540611034c0489b1b4e2822b692bff7167369ceaea4bfd334aeaa33e0ae6ae6e
- SHA512
  
  9e4770e0d3a9404ea78d532b08e4b70c1be77fcd5797601fb17c18e45b991c10407c595a52ca361affd6bffeb476cdbcba184dd07142f10d74f23c4f357b6ace
- SSDEEP
  
  1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+KPIC:5Zv5PDwbjNrmAE+WIC
Score

10^/10

discordrat persistence rat rootkit stealer evasion execution spyware
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discordratpersistenceratrootkitstealer

behavioral2

discordratevasionexecutionpersistenceratrootkitspywarestealer