discordrat | hxxps://cdn[.]discordapp[.]com/attachments/1255165018316476447/1255511838292971550/3CXLoader_[.]exe?ex=667d6604&is=667c1484&hm=3dfb0e5e516e2709cfc51305ca6edf7d1956e3bcbab56a2d64f29b61a1fd9037&

General

Target

https://cdn.discordapp.com/attachments/1255165018316476447/1255511838292971550/3CXLoader_.exe?ex=667d6604&is=667c1484&hm=3dfb0e5e516e2709cfc51305ca6edf7d1956e3bcbab56a2d64f29b61a1fd9037&

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NTM0ODAzMTI3NzEwOTMyOA.GFA2V2.Xn7ioNW4QOiq2qIR5-q8URTs5_7FhbdVLeLF14
server_id
1255347532347736107

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 4 IoCs

Processes:

3CXLoader.exe3CXLoader.exe3CXLoader.exe3CXLoader.exe

pid process

4300 3CXLoader.exe
5412 3CXLoader.exe
5488 3CXLoader.exe
3556 3CXLoader.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

105 discord.com
107 discord.com
108 discord.com
128 discord.com
130 discord.com
98 discord.com
99 discord.com

pid	process
4300	3CXLoader.exe
5412	3CXLoader.exe
5488	3CXLoader.exe
3556	3CXLoader.exe

flow	ioc
105	discord.com
107	discord.com
108	discord.com
128	discord.com
130	discord.com
98	discord.com
99	discord.com

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

3CXLoader.exe3CXLoader.exe3CXLoader.exe3CXLoader.exe

description	pid	process
Token: SeDebugPrivilege	4300	3CXLoader.exe
Token: SeDebugPrivilege	5412	3CXLoader.exe
Token: SeDebugPrivilege	5488	3CXLoader.exe
Token: SeDebugPrivilege	3556	3CXLoader.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3CXLoader.exe3CXLoader.exe3CXLoader.exe3CXLoader.exe

description	pid	process	target process
PID 3988 wrote to memory of 4300	3988	3CXLoader.exe	3CXLoader.exe
PID 3988 wrote to memory of 4300	3988	3CXLoader.exe	3CXLoader.exe
PID 5180 wrote to memory of 5412	5180	3CXLoader.exe	3CXLoader.exe
PID 5180 wrote to memory of 5412	5180	3CXLoader.exe	3CXLoader.exe
PID 5200 wrote to memory of 5488	5200	3CXLoader.exe	3CXLoader.exe
PID 5200 wrote to memory of 5488	5200	3CXLoader.exe	3CXLoader.exe
PID 5372 wrote to memory of 3556	5372	3CXLoader.exe	3CXLoader.exe
PID 5372 wrote to memory of 3556	5372	3CXLoader.exe	3CXLoader.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1255165018316476447/1255511838292971550/3CXLoader_.exe?ex=667d6604&is=667c1484&hm=3dfb0e5e516e2709cfc51305ca6edf7d1956e3bcbab56a2d64f29b61a1fd9037&
1⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=764,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:1
1⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4308,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:1
1⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5072,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:1
1⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5472,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:8
1⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5488,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:8
1⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6308,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=6220 /prefetch:8
1⤵
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5108,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:1
1⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6300,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:1
1⤵
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5024,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:8
1⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6976,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=6984 /prefetch:8
1⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=7128,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:8
1⤵
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6996,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=7096 /prefetch:8
1⤵
PID:1036

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x320
1⤵
PID:2712

C:\Users\Admin\Downloads\3CXLoader.exe
"C:\Users\Admin\Downloads\3CXLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4300

C:\Users\Admin\Downloads\3CXLoader.exe
"C:\Users\Admin\Downloads\3CXLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5180
- C:\Users\Admin\AppData\Local\Temp\RarSFX1\3CXLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\3CXLoader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5412

C:\Users\Admin\Downloads\3CXLoader.exe
"C:\Users\Admin\Downloads\3CXLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5200
- C:\Users\Admin\AppData\Local\Temp\RarSFX2\3CXLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\3CXLoader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=5320,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8
1⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=5320,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8
1⤵
PID:5948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6604,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=6560 /prefetch:1
1⤵
PID:6036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1484

C:\Users\Admin\Downloads\3CXLoader.exe
"C:\Users\Admin\Downloads\3CXLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5372
- C:\Users\Admin\AppData\Local\Temp\RarSFX3\3CXLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX3\3CXLoader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=7172,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=7308 /prefetch:8
1⤵
PID:5904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\3CXLoader.exe

Filesize
78KB

MD5
59c231f52b80f128a8f5ef1216980c82

SHA1
710bfdbca2cc26a856619808121e23160fae874f

SHA256
e8452a2ffae08315c802c2ac4de41ea328de6fed942890e0682d261e89391502

SHA512
93024af146d4586ada9410ba59f49811454fad40bf61349e99c5b4920449d5fcea3c70ba6a7df53b80464d61efcca708c22847f27f02be4ede4b97ce1678c5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\3CX.jpg

Filesize
45KB

MD5
a966b0d8ea9adb1b32f8cda40dec4d32

SHA1
98d342253bbe84c20a03742e409e0c3909ae28dd

SHA256
e1e993f2026f740af27642e9b0529a8eee5614829fd89e9e715c0e4f5aeec680

SHA512
6878b1fba8f72e82ab6d3d6821eee7493a0c16c64f46505bf4069314d4550791b6f94e73f15737a95f8f04e4d07f020b6c7ec306b218f84ba6fded0bfb3074bd

Download Submit
memory/4300-14-0x000001C3E4760000-0x000001C3E4778000-memory.dmp

Filesize
96KB

Download
memory/4300-15-0x00007FFA2EF53000-0x00007FFA2EF55000-memory.dmp

Filesize
8KB

Download
memory/4300-16-0x000001C3FEDA0000-0x000001C3FEF62000-memory.dmp

Filesize
1.8MB

Download
memory/4300-17-0x00007FFA2EF50000-0x00007FFA2FA11000-memory.dmp

Filesize
10.8MB

Download
memory/4300-18-0x000001C380530000-0x000001C380A58000-memory.dmp

Filesize
5.2MB

Download
memory/4300-47-0x00007FFA2EF53000-0x00007FFA2EF55000-memory.dmp

Filesize
8KB

Download
memory/4300-48-0x00007FFA2EF50000-0x00007FFA2FA11000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing