Overview

overview

10

Static

static

10

Discord rat.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Discord rat.exe

  • Size

    79KB

  • Sample

    240630-wz2lqavgjl

  • MD5

    0e9a169454db4ae7a68279faeb8f0211

  • SHA1

    b092e1194a631e4d86b0228425ec3e02a9772851

  • SHA256

    dfcebfa87fe9fec6b2a2c3232e5df61644f38294c72ce70e501c2de658bb012f

  • SHA512

    9d69e67bcaed24cedc514589bb622473dabbe6962a29ea9436f487c22e9f461558d89a289bfe08b9728197dc7ee4b8d94b4796488a1b4429cf51c805ea7ce982

  • SSDEEP

    1536:GeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqi8:xycDpiiSoH8ovTpFl+ktd2+6CHpHKcGY

Score
10/10
discordratevasionexecutionpersistenceprivilege_escalationratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1Njk1OTk3MzkyMjA1MDA0OA.GV4pf2.KDy4ZWyHX62uy-6sW0ATodCuXPe8ZmbmDfPa0k

  • server_id

    1256666099580403734

Targets

    • Target

      Discord rat.exe

    • Size

      79KB

    • MD5

      0e9a169454db4ae7a68279faeb8f0211

    • SHA1

      b092e1194a631e4d86b0228425ec3e02a9772851

    • SHA256

      dfcebfa87fe9fec6b2a2c3232e5df61644f38294c72ce70e501c2de658bb012f

    • SHA512

      9d69e67bcaed24cedc514589bb622473dabbe6962a29ea9436f487c22e9f461558d89a289bfe08b9728197dc7ee4b8d94b4796488a1b4429cf51c805ea7ce982

    • SSDEEP

      1536:GeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqi8:xycDpiiSoH8ovTpFl+ktd2+6CHpHKcGY

    Score
    10/10
    discordratevasionexecutionpersistenceprivilege_escalationratrootkitstealer

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks