discordrat | ba6cef0aab977a4f4fc7e91d257205cc99634002b5f4f2a7ad7fcd41a9ec52f9

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

backdoor.exe
Size

78KB
MD5

e171e60b87329f0d0b505fac4ed4a4b7
SHA1

235df53c9dd99f010d110e94bc8de5a868a208f0
SHA256

cf194b811a46dbd3fd51b4ab88ff7659ef3a13b603e5c244c2cbdc994f80457c
SHA512

c32c1d43318117bb3aff56f1b3d3f9f0d804f621439b386470de25566a09adbc99d8cf3e73e32517317fdfeb4a5b0c961060b4409ae97b42bdf7b9a4b1febd18
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+lPIC:5Zv5PDwbjNrmAE+1IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIzNTY0ODQ4NjI5MzM3Mjk0OA.GawiEy.JlM1vJUWlJwIzz8HRFWqauqv72ly3Fb8B_Rxtc
server_id
1235649426538758245

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

79 discord.com
6 discord.com
7 discord.com
24 discord.com
55 discord.com
56 discord.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

backdoor.exe

description pid process

Token: SeDebugPrivilege 2036 backdoor.exe

flow	ioc
79	discord.com
6	discord.com
7	discord.com
24	discord.com
55	discord.com
56	discord.com

description	pid	process
Token: SeDebugPrivilege	2036	backdoor.exe

C:\Users\Admin\AppData\Local\Temp\backdoor.exe
"C:\Users\Admin\AppData\Local\Temp\backdoor.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-1-0x00007FFD795D3000-0x00007FFD795D5000-memory.dmp

Filesize
8KB

Download
memory/2036-0-0x00000225470B0000-0x00000225470C8000-memory.dmp

Filesize
96KB

Download
memory/2036-2-0x00000225617A0000-0x0000022561962000-memory.dmp

Filesize
1.8MB

Download
memory/2036-3-0x00007FFD795D0000-0x00007FFD7A091000-memory.dmp

Filesize
10.8MB

Download
memory/2036-4-0x0000022561FA0000-0x00000225624C8000-memory.dmp

Filesize
5.2MB

Download
memory/2036-5-0x00007FFD795D3000-0x00007FFD795D5000-memory.dmp

Filesize
8KB

Download
memory/2036-6-0x00007FFD795D0000-0x00007FFD7A091000-memory.dmp

Filesize
10.8MB

Download