discordrat | 74b6089379acff9803a37c3b5e8bc86c5877a319c4ced5a714ff9c9c63905188

General

Target

cdumper/compiler.exe
Size

78KB
MD5

cc0c0d53ea855321b892e9d69ce09d1f
SHA1

604de3c919a7768f107e15c12c816ed11ea0146f
SHA256

cd28a30e4e7970b5fe7e2d2ab0244a41ed3fed048904d671ce2db28de1a87529
SHA512

58a7a3e9b374296d8898929a9c1806beb501e45c232efd11db1449583e8227b4a0511fc724d07be030baa640aa285ed7648ed1a328a40e47989b0d7673a4d609
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MzY2NzkzMTcwMzc0MjQ3NA.Gw8dsn.LeG778rjIzDyfb3CK-K3udb1GPBgWlxFwh_VdU
server_id
1250682422434074634

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

23 discord.com
24 discord.com
8 discord.com
9 discord.com
18 discord.com

flow	ioc
23	discord.com
24	discord.com
8	discord.com
9	discord.com
18	discord.com

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

compiler.exefirefox.exe

description pid process

Token: SeDebugPrivilege 5024 compiler.exe
Token: SeDebugPrivilege 1396 firefox.exe
Token: SeDebugPrivilege 1396 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

1396 firefox.exe
1396 firefox.exe
1396 firefox.exe
1396 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

1396 firefox.exe
1396 firefox.exe
1396 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

1396 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	5024	compiler.exe
Token: SeDebugPrivilege	1396	firefox.exe
Token: SeDebugPrivilege	1396	firefox.exe

pid	process
1396	firefox.exe
1396	firefox.exe
1396	firefox.exe
1396	firefox.exe

pid	process
1396	firefox.exe
1396	firefox.exe
1396	firefox.exe

pid	process
1396	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1796 wrote to memory of 1396	1796	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1264	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1960	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1960	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1960	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1960	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1960	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1960	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1960	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1960	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1960	1396	firefox.exe	firefox.exe
PID 1396 wrote to memory of 1960	1396	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe
"C:\Users\Admin\AppData\Local\Temp\cdumper\compiler.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.0.1972049484\1816877333" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fb9b10c-0b74-4f36-88d5-a3378b5eea74} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 1868 249709e7a58 gpu
3⤵
PID:1264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.1.1205095530\45787735" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {646e6e6f-f82a-4102-9bf2-d1393836abfd} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 2436 24964c89358 socket
3⤵
- Checks processor information in registry
PID:1960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.2.724354009\563627700" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f80dd55f-4a7d-4ff6-9a3f-a520aac2ed2e} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 2988 249746edd58 tab
3⤵
PID:3804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.3.1410662834\155034935" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 2836 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98d9b37d-9d63-46af-be6f-d3121ef18378} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 3704 249764d2458 tab
3⤵
PID:1632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.4.1450551812\1616609593" -childID 3 -isForBrowser -prefsHandle 5092 -prefMapHandle 5088 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c9dc821-11bc-4e81-8714-5baf4d708d09} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 5124 249786efc58 tab
3⤵
PID:3136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.5.992737942\1310033322" -childID 4 -isForBrowser -prefsHandle 5284 -prefMapHandle 5292 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8977024-aa79-461a-ae21-8d8aa61056cb} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 5276 249786ede58 tab
3⤵
PID:3848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.6.1715838597\623193095" -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5540 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d9b307c-2fc7-415e-b429-a17949ecea98} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 5460 249786ed858 tab
3⤵
PID:4612

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
Filesize
27KB

MD5
296c1b0dfc66f9685cb4e3e21552c40e

SHA1
cc1d6a72603f937ea4e78e94f150e8e45d47309a

SHA256
33864b42fc0a63432a6fc014fceb628a353c4ffe8f18576b5544503ec9edd397

SHA512
584f85219f7b8001b4c569762278285aedc6ad9a243d4e6fcde62693dafaca584dd431d382e0c06581e8e2d5b17abb0b898f7185305db7006d747c972e22ece0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js
Filesize
6KB

MD5
6e99ed372bfb7480364b84c7942ca7e6

SHA1
0b440b19904a36523b0abe200d3d817bb70f631c

SHA256
7f6fa19930900ecc80c0edc4cf0da4afad8245915de187ffc5233ee33e6ae4c0

SHA512
d369055c6d4e4a14dbe559d3d8270c2d91b1e1fc0f3bb5dbfebb9885a0cc9c3c8c6991f6284e0d2f1e39cd17054398a7e8f9f368164fb84577da1bfa8d103eab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js
Filesize
6KB

MD5
0afee1f4786fc408d1210191fbdec628

SHA1
55f0c6946206e137ddf4a5c236f88309aa91837e

SHA256
88789bd4c964a9cd51c508282910cf8585cf76ab9503e724351ec11644a6039a

SHA512
acba7cdf1cd2dfe93768625dd19a53e421e782bef8134ed5606a5a9bb50f9196df7f783754a0c229ae303a79ad23f51664f9e7920af441eb45863605cc779e26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4
Filesize
901B

MD5
8269c6087ab2af10508019dadca4b177

SHA1
98b08ac1070da11a4547597ecb6a21aeb6f5ecf0

SHA256
0eae41324d11bb512b0ea4dc2f22d79a6de16070d077deb4028868f757e3ae1f

SHA512
7f674d5a8d159ac312df1d84af25a30ceec32fa808bb0ae288c38adffb20841496eba61fd2f3cd931f7e4400070535149fa476019d63c9ded422a848c9eaec3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
192KB

MD5
ac00157ac293d8bed87680352dbf820a

SHA1
d0ca3dd3bac5cf7a75c1ff883e6bd0a4783f5995

SHA256
4d5eb90affec601acaf76e6209efd8ddb4cae39bf7461048387d5ebdf53d3c5c

SHA512
331782195fd488207b36bce4329126aeda3cda8d1f483474da65eccad0a3128e629f8ab38906c4087b6554cc3276c0ddc9f42cd4b2a50cefaf9f07f84f50d5ec

Download Submit
memory/5024-0-0x00007FFBF0D83000-0x00007FFBF0D85000-memory.dmp

Filesize
8KB

Download
memory/5024-1-0x000001D3352A0000-0x000001D3352B8000-memory.dmp

Filesize
96KB

Download
memory/5024-2-0x000001D34F8A0000-0x000001D34FA62000-memory.dmp

Filesize
1.8MB

Download
memory/5024-3-0x000001D336E90000-0x000001D336EA0000-memory.dmp

Filesize
64KB

Download
memory/5024-4-0x000001D3500A0000-0x000001D3505C8000-memory.dmp

Filesize
5.2MB

Download
memory/5024-5-0x00007FFBF0D83000-0x00007FFBF0D85000-memory.dmp

Filesize
8KB

Download
memory/5024-6-0x000001D336E90000-0x000001D336EA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing