General
-
Target
Discord rat.exe
-
Size
79KB
-
Sample
240630-wz2lqavgjl
-
MD5
0e9a169454db4ae7a68279faeb8f0211
-
SHA1
b092e1194a631e4d86b0228425ec3e02a9772851
-
SHA256
dfcebfa87fe9fec6b2a2c3232e5df61644f38294c72ce70e501c2de658bb012f
-
SHA512
9d69e67bcaed24cedc514589bb622473dabbe6962a29ea9436f487c22e9f461558d89a289bfe08b9728197dc7ee4b8d94b4796488a1b4429cf51c805ea7ce982
-
SSDEEP
1536:GeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqi8:xycDpiiSoH8ovTpFl+ktd2+6CHpHKcGY
Malware Config
Extracted
discordrat
-
discord_token
MTI1Njk1OTk3MzkyMjA1MDA0OA.GV4pf2.KDy4ZWyHX62uy-6sW0ATodCuXPe8ZmbmDfPa0k
-
server_id
1256666099580403734
Targets
-
-
Target
Discord rat.exe
-
Size
79KB
-
MD5
0e9a169454db4ae7a68279faeb8f0211
-
SHA1
b092e1194a631e4d86b0228425ec3e02a9772851
-
SHA256
dfcebfa87fe9fec6b2a2c3232e5df61644f38294c72ce70e501c2de658bb012f
-
SHA512
9d69e67bcaed24cedc514589bb622473dabbe6962a29ea9436f487c22e9f461558d89a289bfe08b9728197dc7ee4b8d94b4796488a1b4429cf51c805ea7ce982
-
SSDEEP
1536:GeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqi8:xycDpiiSoH8ovTpFl+ktd2+6CHpHKcGY
Score10/10-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1