Extracted

• • Target

    Discord rat.exe

  • Size

    79KB

  • MD5

    4a825505953f3f758e1da9bab73df39e

  • SHA1

    ee7226735ea2d358d8628e037f35d38fc799ef50

  • SHA256

    5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977

  • SHA512

    43120fc749ee67d7b8371aa921ee9a7b3769cbc63db06c0dd5cadfa7a83aeeb51e3a54ac4e8c0738cc58b22bcef0d8c5198b753626955371823d11a54d0d12a9

  • SSDEEP

    1536:UeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqik:rycDpiiSoH8ovTpFl+ktd2+6CHpHKcGw

  Score

  10^/10

  discordratpersistenceratrootkitstealerevasionexecutionprivilege_escalationbootkit

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2behavioral3behavioral4