discordrat | 8c4f15ae33c75123ce9911b6787aaf3538949b79ef3eb6f3fd61243c0716cfd5

Analysis

max time kernel
125s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

9f0afb2a503c0a3c3e138384fa049265
SHA1

df97fd61eef13597044c36c7b3b7f16e81bfe1f2
SHA256

8c4f15ae33c75123ce9911b6787aaf3538949b79ef3eb6f3fd61243c0716cfd5
SHA512

a6e3ee37a85d153a2efe2d433e689f2b08f915eaf1733f15eb9538dd1bc020bd3171eb269bcc057ea365b6178f215bef751fed76e1e0b996164f5e5b3c9d4441
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjIxMjY2MDMyMDYwMDEyNA.G7DQV9.NLy5ylC0k10-82FUBv6XeDCl21n_ORSWKo_Hy8
server_id
1256190460452405298

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 discord.com
5 discord.com
16 discord.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client-built.exe

description pid process

Token: SeDebugPrivilege 1780 Client-built.exe

flow	ioc
4	discord.com
5	discord.com
16	discord.com

description	pid	process
Token: SeDebugPrivilege	1780	Client-built.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4080,i,5019894817651309870,579021928995875068,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
1⤵
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-0-0x00007FF85B7D3000-0x00007FF85B7D5000-memory.dmp

Filesize
8KB

Download
memory/1780-1-0x00000270BB270000-0x00000270BB288000-memory.dmp

Filesize
96KB

Download
memory/1780-2-0x00000270D58F0000-0x00000270D5AB2000-memory.dmp

Filesize
1.8MB

Download
memory/1780-3-0x00007FF85B7D0000-0x00007FF85C291000-memory.dmp

Filesize
10.8MB

Download
memory/1780-4-0x00000270D6130000-0x00000270D6658000-memory.dmp

Filesize
5.2MB

Download
memory/1780-5-0x00007FF85B7D3000-0x00007FF85B7D5000-memory.dmp

Filesize
8KB

Download
memory/1780-6-0x00007FF85B7D0000-0x00007FF85C291000-memory.dmp

Filesize
10.8MB

Download