discordrat | 57eed574304d4cfbcc88500b5182c4860d41d304981fb4998ed86d07988a2ca0

General

Target

Easy Installer.exe
Size

78KB
MD5

47eea4e5c2e7a5c324bdbe8dbd92f767
SHA1

0ef6fc9907bfde40c891ac4fb2b6edb7a1309666
SHA256

57eed574304d4cfbcc88500b5182c4860d41d304981fb4998ed86d07988a2ca0
SHA512

28b656ca6eb05da8485851812ab9e4ccc88f2fca2c7824584ffcee3387cc521fc5bf41251c76db45a9a2228ec0d63da9d194bd7af515610d0df54e28c77128df
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SLPIC:5Zv5PDwbjNrmAE+CIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1Njg3NTU2Mjg4MzA4ODQ2NQ.Gfaomm.Q8t_H-8TPNfmYeYs7TNEUk7uofM9ZANkiepzfY
server_id
1256875331898577006

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Easy Installer.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3376	Easy Installer.exe
Token: SeDebugPrivilege	3936	taskmgr.exe
Token: SeSystemProfilePrivilege	3936	taskmgr.exe
Token: SeCreateGlobalPrivilege	3936	taskmgr.exe
Token: 33	3936	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3936	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\Easy Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Easy Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3376-1-0x000002759FA20000-0x000002759FA38000-memory.dmp

Filesize
96KB

Download
memory/3376-0-0x00007FFC51413000-0x00007FFC51415000-memory.dmp

Filesize
8KB

Download
memory/3376-2-0x00000275BA140000-0x00000275BA302000-memory.dmp

Filesize
1.8MB

Download
memory/3376-3-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3376-4-0x00000275BA940000-0x00000275BAE68000-memory.dmp

Filesize
5.2MB

Download
memory/3376-18-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3936-17-0x000001CC35710000-0x000001CC35711000-memory.dmp

Filesize
4KB

Download
memory/3936-6-0x000001CC35710000-0x000001CC35711000-memory.dmp

Filesize
4KB

Download
memory/3936-7-0x000001CC35710000-0x000001CC35711000-memory.dmp

Filesize
4KB

Download
memory/3936-16-0x000001CC35710000-0x000001CC35711000-memory.dmp

Filesize
4KB

Download
memory/3936-15-0x000001CC35710000-0x000001CC35711000-memory.dmp

Filesize
4KB

Download
memory/3936-14-0x000001CC35710000-0x000001CC35711000-memory.dmp

Filesize
4KB

Download
memory/3936-13-0x000001CC35710000-0x000001CC35711000-memory.dmp

Filesize
4KB

Download
memory/3936-12-0x000001CC35710000-0x000001CC35711000-memory.dmp

Filesize
4KB

Download
memory/3936-11-0x000001CC35710000-0x000001CC35711000-memory.dmp

Filesize
4KB

Download
memory/3936-5-0x000001CC35710000-0x000001CC35711000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads