discordrat | 1a44ce70ba73de7159f78b7775a588f97657e1c991bc98c1394d5c0075994ea9 | Triage

Sharing

General

Target

Client-built.zip
Size

78KB
Sample

240704-e3knyavbjj
MD5

5b13db9234e839e680ab62c81c702870
SHA1

c7d124b74f401b544d852c3abb7a79af37766ac8
SHA256

1a44ce70ba73de7159f78b7775a588f97657e1c991bc98c1394d5c0075994ea9
SHA512

e9dd4bc329c9466ba122238f1ceadf7a4b4fbaca6a638fd2b3eec9b93e9849541778c36ba944f1fedc0fc338bb2ed34fa9c643c0d38a2ea92c1c5e9b3f276072
SSDEEP

1536:9IWOBaZ84c6gEz5De2FzNDnghTAsKFbOZGdndxRKDIZ8Ud0DGMpbDNr1+uexCxo9:9IWOBaZ84c6gEz5De2FzNDnghTdWd7K8

Score

10^/10

discordrat evasion execution persistence privilege_escalation rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjA3MjI4MTE3NjkzMjQwMg.GxD9m_.zzsnEGguqBxqJmCsGwZDpT0jW55Z5MKiEbx3N8
server_id
1256072040117698732

Targets

- Target
  
  Client-built.exe
- Size
  
  78KB
- MD5
  
  debff807992d6ab1c4d7ce874cbe5c76
- SHA1
  
  aa0994bb764049500dd24dc80016712b23fb604b
- SHA256
  
  73cffd144f64cb6db1760979226341a2672a1c423acad623665abc20f2b497fa
- SHA512
  
  2f620659102d4f1fd065cc857fe2ca25c0ba6f3fc3a9834581a3d9c3b4628191e8a18f08c502e42e4dee98e09efc755a5154e96059a6100446a89c66ebb2e5bb
- SSDEEP
  
  1536:WIWOBaZ84c6gEz5De2FzNDnghTAsKFbOZGdndxRKDIZ8Ud0DGMpbDNr1+uexCxoK:WIWOBaZ84c6gEz5De2FzNDnghTdWd7Kf
Score

10^/10

discordrat persistence rat rootkit stealer evasion execution privilege_escalation spyware
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discordratpersistenceratrootkitstealer

behavioral2

discordratevasionexecutionpersistenceprivilege_escalationratrootkitspywarestealer