discordrat | efe5790a81067b8b95ad69af4968849c791b01a1a0f19f3d3020095f00888b6e

Analysis

max time kernel
91s
max time network
126s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Terror.exe
Size

78KB
MD5

9f518ee6480156a921f6bd99c8378c62
SHA1

4c9abca52fc4ded0a3a0d472b080ddf65833f0f5
SHA256

efe5790a81067b8b95ad69af4968849c791b01a1a0f19f3d3020095f00888b6e
SHA512

652d15a5dbdcac35ab28747778512d5fb5e53768b58cdaa0eecf9f7beb392ee23700ab9f59c861455740363c9189555f5b02d5e0c2f9a4bf3c2fedb0642e7bca
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE3ODk2MTk2ODE2NjYwODk0Ng.GWdouc.4wVIpzQHPLktLaKdKYTuprn3lAPEaFf0XdTsNg
server_id
1256966724407001190

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 discord.com
3 discord.com
4 discord.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Terror.exe

description pid process

Token: SeDebugPrivilege 3684 Terror.exe

flow	ioc
6	discord.com
3	discord.com
4	discord.com

description	pid	process
Token: SeDebugPrivilege	3684	Terror.exe

C:\Users\Admin\AppData\Local\Temp\Terror.exe
"C:\Users\Admin\AppData\Local\Temp\Terror.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3684-0-0x000001FE09F70000-0x000001FE09F88000-memory.dmp

Filesize
96KB

Download
memory/3684-1-0x00007FFD88A13000-0x00007FFD88A15000-memory.dmp

Filesize
8KB

Download
memory/3684-2-0x000001FE24610000-0x000001FE247D2000-memory.dmp

Filesize
1.8MB

Download
memory/3684-3-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp

Filesize
10.8MB

Download
memory/3684-4-0x000001FE25890000-0x000001FE25DB8000-memory.dmp

Filesize
5.2MB

Download
memory/3684-5-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp

Filesize
10.8MB

Download