discordrat | c6347e059cf0a97401735676bb94b9cdc0d00da63b44c59e4164088392c70e52

General

Target

fjTqKmzL.html
Size

17KB
MD5

41e5bd906c34fe02f6f803b944f0e3fd
SHA1

d19842a43159f16bfe12bbaa11f4116ae4ae1f46
SHA256

c6347e059cf0a97401735676bb94b9cdc0d00da63b44c59e4164088392c70e52
SHA512

d4c37e086b9234ea96cfeea5531dd387a58ddf6e2cd4265a082f1337f6a994c95564b03557e36f0e59e45d768be8020b340206ef63cc2284f2fe7cf9e545705c
SSDEEP

384:KFVFD+WIE7kbqkmg9x+DZzzsg2RrgoAOnC0JqsTSpF6:M3DZ37kbqS9YZlsTSpF6

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
OTM2NzI3NjI5MzcxOTQ0OTcw.GCVcP3.D4dApx2x4azOpAyDrEB1pg1kJu_UOP1ZpW7FgY
server_id
1252722525725659238

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
105	pastebin.com
202	discord.com
204	discord.com
203	discord.com
221	discord.com
104	pastebin.com
108	pastebin.com
201	discord.com
121	pastebin.com
192	discord.com
193	discord.com
198	discord.com
220	discord.com
103	pastebin.com
107	pastebin.com
120	pastebin.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1008	AUDIODG.EXE
Token: SeDebugPrivilege	2808	Client-built.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\fjTqKmzL.html
1⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=1424,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:1
1⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3808,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:1
1⤵
PID:236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5300,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:1
1⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5292,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8
1⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5344,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:8
1⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6012,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5932 /prefetch:1
1⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=4504,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:1
1⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=3876,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:1
1⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=4952,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:1
1⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=4572,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:1
1⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6508,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6784 /prefetch:1
1⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6596,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:8
1⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=4656,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5832 /prefetch:1
1⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5500,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:8
1⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6380,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=3868 /prefetch:1
1⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6788,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:1
1⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=5016,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:1
1⤵
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --field-trial-handle=6660,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:8
1⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=5816,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=7092 /prefetch:8
1⤵
PID:3596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7352,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=7432 /prefetch:8
1⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=6888,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=7480 /prefetch:1
1⤵
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=4548,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=7768 /prefetch:8
1⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=7852,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=7816 /prefetch:8
1⤵
PID:1472

C:\Users\Admin\Downloads\Client-built.exe
"C:\Users\Admin\Downloads\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2808-0-0x0000022BA18C0000-0x0000022BA18D8000-memory.dmp

Filesize
96KB

Download
memory/2808-1-0x00007FFD906D3000-0x00007FFD906D5000-memory.dmp

Filesize
8KB

Download
memory/2808-2-0x0000022BBBF40000-0x0000022BBC102000-memory.dmp

Filesize
1.8MB

Download
memory/2808-3-0x00007FFD906D0000-0x00007FFD91191000-memory.dmp

Filesize
10.8MB

Download
memory/2808-4-0x0000022BBD3C0000-0x0000022BBD8E8000-memory.dmp

Filesize
5.2MB

Download
memory/2808-5-0x00007FFD906D3000-0x00007FFD906D5000-memory.dmp

Filesize
8KB

Download
memory/2808-6-0x00007FFD906D0000-0x00007FFD91191000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing