discordrat | c6e3f79e8aaebefaa7904f80ca4b8bfc5855c1271c7641386f6b64dfb05b7edc

Analysis

max time kernel
196s
max time network
201s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
08-07-2024 00:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Hackertool.exe
Size

78KB
MD5

7e2b58c12f20e20e5b989152f7bcf2c6
SHA1

afbd2ec83157c6465c042bc7292085e8eb5fc6e4
SHA256

c6e3f79e8aaebefaa7904f80ca4b8bfc5855c1271c7641386f6b64dfb05b7edc
SHA512

019823d8b5e7fb11c866af92e117f453feb6deb0e81d4ee644ba474d20d5b37eddfced41e4a993be1e836e302598ef6c7787f826d99ebff1f9d76e1f631f5fb5
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+UPIC:5Zv5PDwbjNrmAE+IIC

Score

10^/10

discordrat persistence ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1Nzk1NzI4ODU0MzUyMjk0OA.GP2sBR.AIv9_MC9xE50IAJKesBJhvHufgXXZzU9lUzGu8
server_id
1257954812113190942

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service
T1102

Processes:

flow ioc

7 discord.com
8 discord.com
9 discord.com
11 discord.com
15 discord.com
1 discord.com
3 discord.com
5 discord.com

flow	ioc
7	discord.com
8	discord.com
9	discord.com
11	discord.com
15	discord.com
1	discord.com
3	discord.com
5	discord.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Hackertool.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3637012076-1497690007-2831451688-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA53F.tmp.png"	Hackertool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3637012076-1497690007-2831451688-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpFE2D.tmp.png"	Hackertool.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Hackertool.exe

description pid process

Token: SeDebugPrivilege 2804 Hackertool.exe
Token: SeShutdownPrivilege 2804 Hackertool.exe

description	pid	process
Token: SeDebugPrivilege	2804	Hackertool.exe
Token: SeShutdownPrivilege	2804	Hackertool.exe

C:\Users\Admin\AppData\Local\Temp\Hackertool.exe
"C:\Users\Admin\AppData\Local\Temp\Hackertool.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\CompleteMount.mov
Filesize
145KB

MD5
4038a355bad3246f8cb1393189c69382

SHA1
a13bcb773a252a7ed279381618cb76e61f5c5e50

SHA256
b01c06cc5dd6f1489107c0c0009b765ece3dd8665cbb67625efab64fe6f2a4ad

SHA512
9e0c76fca928fffa94af6755e4ebd5d512442ea6f6da31d26452933f6f0cf1f57a672d65fa5eb10c40ca89bd23d5d30ad283a5c2a5383eb040e68019b41addb7

Download Submit
C:\Users\Admin\Desktop\ConfirmUse.xlsx
Filesize
11KB

MD5
225289418b89a81cff695038badb817c

SHA1
db9a43b378a63614a54c9d1049c27ff6adafb2ba

SHA256
5e1ceaf85c8b50ca2aaeeb8ead4e0963cf262abc5b2010079de36cde31dabf9e

SHA512
2bb41883317d7e62e4c715be79bcdcd87f4d44c2af00ecd0f55a0ddb6e5eff55d3192548fc74cc2344fb2f611161b096daa0c8a0edf73aaa4a44a9968a9786fe

Download Submit
C:\Users\Admin\Desktop\ConvertLimit.cmd
Filesize
296KB

MD5
15d91ea418813346caa1244387b04ddf

SHA1
ba79b45340334eaa44733aaa9067f754bbb5eeb2

SHA256
9daea03e390cd38abbb83eaaf8fee87ef078c1b56c310a40b32f8cfed3d8eb6a

SHA512
e028b746ceb382a5248cd4e4c5f78b57677931013407e00299459371e3a040a0c137b2380087d773230721475286cd342a7f735fce7764babd51e0bc1e77e32d

Download Submit
C:\Users\Admin\Desktop\DisableRestart.dotx
Filesize
226KB

MD5
9493be572ecb7f68244bdd076654f1e5

SHA1
3a8ab4d5dcb90fbea0911103c098dcf028a1030c

SHA256
990915d751473ea4da459f7fdf23c6d16f42ff51081f32594690a6528a9b5ab6

SHA512
166d9ae9768dd896f80f301a0a7631a01fe342927777d9170c71fd2baf092558b4daa652d5f1e05ad97dedad83ba4295a4122829558a5b3848ca2a9635374b32

Download Submit
C:\Users\Admin\Desktop\DisableSave.xlsx
Filesize
12KB

MD5
2f9e6d8a74ce3ebf7d0a9028c31954b9

SHA1
a5e6196b3d9ec2b083cbd64dca672287cd4f0d51

SHA256
73f55fefdd68d226759551d6421278d41f0a847cf233485e1a5a920b5f5397bc

SHA512
6ff666227e19d7f53ab486ffb66d798a3678e0a77b960e609f5feeee2ae2115c871dfefdd9553f746fdd2b574fafbec1db7ba6deafffe5de7d2ad8a8767a02a2

Download Submit
C:\Users\Admin\Desktop\DisableWatch.MTS
Filesize
365KB

MD5
9274fcdd0cdf080e829019b3250b9523

SHA1
2dec82b3de2b03eef6f236b9f1037db285e4cce1

SHA256
67b606c71880ab798dffa243ac67eca5571798542a40433f3df3f93ace28433a

SHA512
161a07fb9ee80807937eced350d26b8689883355e01ece4b67693dc3a084f529435372a211ce9005a8df05ac3629ea9fb4bd3ef1c558e06d88aa8cd6de039bbd

Download Submit
C:\Users\Admin\Desktop\DisconnectSelect.xlsx
Filesize
15KB

MD5
11f14cdf8e0217acf36da51cf7096ded

SHA1
2e506025d047ab1abfed0c41f77d3eab6cdadaa9

SHA256
0e337569fb64342c0a07bc565c0b48a21a39b80ba7a06011aa7aa3a927578afa

SHA512
2231b54b331430d4fffb97b39f4fb9e281341bcc1ebb2305962928a8ac57f107a6b8b1b1243c1885a2af1a8ba5f453ace3d8115e33f55d3fc569e6921ea6833a

Download Submit
C:\Users\Admin\Desktop\FormatCompress.mpa
Filesize
354KB

MD5
499e789df0e343b546a187bf091db2d3

SHA1
671bfe90faa287b33a8875d712e448724ccbc622

SHA256
142da30aaa912d40a1d0a40e53852dd509571473d241fe692aa15bb0b1bfc3ca

SHA512
90e1dc418debb4e2e11c236ea52975925566bdba381fc17e483ce31322adc9fc3b823bab69409482390f955779762a960f0b813d229fc2089c9046424d5ff8f9

Download Submit
C:\Users\Admin\Desktop\GroupInvoke.vb
Filesize
249KB

MD5
43b39062a73e0cf609d8a3275f3363bc

SHA1
33daa2c30374a1596b659665a27a95910982926d

SHA256
6e980c7929ce9cc65f693be791692340cd5dd28badffa2d7d93ff07c590e8296

SHA512
6fd9604fc4fbbdacd01f17bd979aeeba476f40336255f19dc396d7fb6d02b6285657e9d7cbceb0407a6f98b307f4a2bb7e4f335649172b1c09badf043590fa57

Download Submit
C:\Users\Admin\Desktop\HideAdd.wdp
Filesize
331KB

MD5
71d80cb873690bcff4cb7f52537ae9d8

SHA1
44a25b28072879e9d0f547f591065dc6e843293b

SHA256
55e1d3edfa9e5d636ec5d34006e088e121aace8caceb7a5ef24ade2975f3b52b

SHA512
dd90bd98c3c45422c946f39754a49b90137dc2ab0294cc6eda07b11e8edd4881415cd61b0e348af95c2a339bc519e979978fe79eb0e1edc1d8f5e6d5c233846d

Download Submit
C:\Users\Admin\Desktop\InstallDismount.vsdx
Filesize
319KB

MD5
c59a1ef0713a3a4f519a4e46b583c0cc

SHA1
48ea646d35058ef778bbb75959b964e11c0df3bb

SHA256
b7ea89d4b3344b495c135dfaa5b7f6fe941faf881f6856fea4c75e0ea9de46e9

SHA512
380b17da33c263ce1a6ac4d3962bbd4d2ad06926947306df339c3e629535e50e94edcff3dd25e34a8a842d5d1930801a9788ee82c0228ce9425eacd1d075adf2

Download Submit
C:\Users\Admin\Desktop\JoinAssert.aiff
Filesize
238KB

MD5
9c99b903e7bef75d2a764f0c616e8647

SHA1
f64cc584d58d988321c988132560642788c08c82

SHA256
e182395eba31ab720f5aa0c79f275027c8e1ae745da51ea5025a6eaceb9398a9

SHA512
dd47d58e7bb9a3f61ccbe185458b7fb2af4d467f53405db802c901854c3b51fbc7c6ef7dbe901adb67f0b9110adfe850b1e17ac13bcd86deeb05a09df6fec155

Download Submit
C:\Users\Admin\Desktop\MeasureReset.jpg
Filesize
522KB

MD5
8a9694043d483f0aaff29cef932a959c

SHA1
50978832c113e7af12569417ad3df8917866369d

SHA256
9c5e0af1a8448f40fb570cdca7f802e6737fd6eacbd27b7c105032fc48727cfe

SHA512
dabc31ea4d2b27044c3011921dd08cfac7e8495a772de79ed022365a7a7e665309d962d6a638b43bf5b6cb97536f0c7cb02110771b2ee44b50ab2d4c2239ebc6

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
8c808620c21fc4f115b24f5050bb93f8

SHA1
004b52f5f70da84f83130ebad49dcadc1d9fb00e

SHA256
894657123b08e01fbbab91be8b19e0640b32ad80ea1bcd051f1b1e7b6a6c5ae9

SHA512
c45882635459c19975c2a519bbca9bac48721bf5c411d94854284732253a0effbfcdc7a706e8fa380c4dba23254e53e6183609ab5e19c493706bd332568c9cfc

Download Submit
C:\Users\Admin\Desktop\MoveUndo.docx
Filesize
17KB

MD5
ad0b4b3b3f063e8eca33824b547cc11d

SHA1
d1e87eed05af01fa757443a66c07ead03ca0ae4b

SHA256
f4d3622c3fe71e9a5c15c73d44ea355b621e6bd84c00d494a2e4e57d63e39724

SHA512
e8ab86bc86eb749f2f27b7a9b94f488acd0117209cdf9fa05a5c6736d6d580a6588413aa99dcce91e3db7015da3b056852a1fa7d31d4766d3942b12910add52f

Download Submit
C:\Users\Admin\Desktop\OutGrant.midi
Filesize
168KB

MD5
1f018dc61cbdf81364b82c18eb6c74ba

SHA1
97dc1e5282ebe0fa9fba3eb5d7322c60d2bed071

SHA256
ed33abe652ddfb6ab7d18fc5d13ea3bb86d134553f9b9bcd9ea025aa65d8ef3f

SHA512
d9aa63e43b5039fd1e713201e9eb6bc637f7fdee83696fd27b5374c34edf6388d9c2ab902caf48a903f5b17735f152d090938573f5e3715f1178c1af0454a353

Download Submit
C:\Users\Admin\Desktop\PingReceive.xlsx
Filesize
10KB

MD5
f6ecced240f5dc0ec6a72c541a7e3174

SHA1
4d22309081436f08e47c3428dd80a43f5e4f5ba6

SHA256
2d9d18e259a4ca28c52d92bf4e2e79ad876f049554efc0971230a1acd56758f1

SHA512
6cd093f35bab3cbf694b3e30b8bbe5f6ac7ec0de8473581d31acd0aea3c7f19b81d95bd98ec69df8b380b52d743ed3b0d12a8ac3688a9bc78244987aa7d49f05

Download Submit
C:\Users\Admin\Desktop\PopSync.tif
Filesize
133KB

MD5
58fa30d012bf71f03466e9c94f4adadc

SHA1
267331cbc21b4023a69e1701583416d0ec9d183f

SHA256
ecb13b23fc92c82aeb36cdec5004ee33a83d26a2d8f84e88d519762298534e60

SHA512
5483c0c704c28f8e76f4d88f667cdda81465d95918ede42d02fc115d917d75cffee7e3e9afea45cbccbb237ebbf3dddcf0414e6feb1dbbc8133abf270e1cd647

Download Submit
C:\Users\Admin\Desktop\PushTest.dotm
Filesize
203KB

MD5
08b67399055c527479f9910502983689

SHA1
596f6a305b1d714cc8ad9d828f1601ee92c73f31

SHA256
b0227458d9453cdb09d37a72e6322653e47522733217550093fd9f74a5132104

SHA512
2aa39f8272f891c18d57ea70d67f188f4378358464beb40eafc02216ef47298a714e296fddfded9ccf88291b588f44a18201738512a654b180ef7aff19b6329e

Download Submit
C:\Users\Admin\Desktop\RepairMeasure.ico
Filesize
307KB

MD5
518fe0a81b764a069c3ea2d321e8b952

SHA1
8e762ea77cb98c1fb89bf43995f45eed174a359a

SHA256
831121be25cc06bf44ef78c4f5084a0aba92fd6c2cc4ad7f29fc5817bf7718c8

SHA512
360175f270980b8d52e388537392a471d48b333783164d715fe9ff0535d90c907d675e5dfc58b8fc73c3559fcffea2c92dccdc9f55090ffb5f16fa3f2f07e19b

Download Submit
C:\Users\Admin\Desktop\RequestMove.dib
Filesize
180KB

MD5
9cb0eb98bc161a2275889c43e5cb2088

SHA1
f9bc87c46b1912b62db316a0fcab9ace44baa1d3

SHA256
cdadaa1ab1166e1f8d94d67f6f939635d36213103bff053ac8620bcc0bab5eec

SHA512
717376316ffe95ba4063af2709df9ca545491eee6470c7c5d0747a275dc645797e4543847d845543d193fddb92188a1791e5a7ee2d92f2986d523dc3b9a116d4

Download Submit
C:\Users\Admin\Desktop\ResolveTest.edrwx
Filesize
272KB

MD5
7fd6cac49b3ebdb1abf19b0ec0c9a7f8

SHA1
2b76b32d73d9dcefbc52d860b5698966b6db65f1

SHA256
8aaeafaacc9e41daeb278feccd8e88f607ecd78de8bd4f0d725571efadb333ac

SHA512
8b4e7318d2501d63a4fa176cd6eca96921616c839041a94700095af2223056d6f1b3f89b7b9ca7cbc3dabe534fb1f555ae0511e10ed7debd6fd93bf5916ce990

Download Submit
C:\Users\Admin\Desktop\ShowConvert.txt
Filesize
156KB

MD5
673bfbb4236d3f2a14aae8129ba8374a

SHA1
c3575fa02444acea63abb1e829fb04bd58e818ec

SHA256
e19953e0dc73ea0076a9e8a9a631e180fe309b07419d2862e72b424f62ab03bb

SHA512
92045d575f9001f001defdba8a84159969d8d948c3873176f8c037e1c86430d70b0234ec0d7c6580503b749de967f104ab3a36e03761087c4e8abb5c476213f1

Download Submit
C:\Users\Admin\Desktop\StepResume.wvx
Filesize
214KB

MD5
b8b654f10b748ac3cec94ffa7fe0cb78

SHA1
657a471a3f1f10a5cf60064443907ca29c6b353e

SHA256
0289cf573d3b216f00a9f6df58480767fcb37913c385a1d7273f6254d145bab7

SHA512
70fe85da3f2c0d2c5e7f9976ffe87c7cf246450d89bdf1991f6525e813d8cc657eab58e254b877640e7b3cf80d1e8e78e05b73b6ceb1b10e428b2ec667cb8cae

Download Submit
C:\Users\Admin\Desktop\StopMount.m1v
Filesize
377KB

MD5
131604dd81bbddeaf2d5962f6bf89440

SHA1
345951a8cc3cffd42669036ec353b906256e44d9

SHA256
e2873cde9b4c9a0067a8834588cc6820caccabe27286ed8005d2129656b6eb36

SHA512
c74a6138696e40eda14ad46192deec1accaa2b6639612c6f46614012164495ca14028ad4956a58eddc5932454967491c3808c1f8838b61f34da4c8952f4da415

Download Submit
C:\Users\Admin\Desktop\TestAdd.xls
Filesize
191KB

MD5
c9535080ed25045c82dc724102663689

SHA1
30f950c62e2ffd43163e3fa7705d99b1b841890e

SHA256
b8d3b1e86a054422a5ac4f3ebe2f4e46c7a81287d373a783366d31e76add52ea

SHA512
68473cc26998290e6ce8db09f23fb06e69e6dde7a819be09b70263c1caec869f59d8892f43b53f4e994c991d7466f2eb50c2f766e3dbf0f42331a4db0a18bb2a

Download Submit
C:\Users\Admin\Desktop\TraceUnpublish.xlsx
Filesize
11KB

MD5
49d6442eaedc5ae9fbde75ea3b3f13f9

SHA1
5b4aa215e15e9f430a739966a4996368209ea763

SHA256
897478ca75ac840a2b84ca872f3ce9e31f19d5ac056415bc6e40c734fb983ca8

SHA512
ca157d6d345271bde4c25566055d5cac5b24248f26b1f55b7c937ffbd04da9dcba3177df3d2a9adff05ef8670b08e9061c429700c11a2ea4705fd429eeec2834

Download Submit
C:\Users\Admin\Desktop\UnregisterInvoke.3g2
Filesize
342KB

MD5
fcf2a6f1666f258013aaf2269b5041de

SHA1
7280b89aefe423728a1b84bd08d300a52781fbaf

SHA256
a577ad03a9c64dec1350623a5b0892a6e54033a75b15c87d28e1996cd12cba3e

SHA512
d01485b52774fa204bd3c28510c403a89d1a09a7cc2a8f61f5cbd2ff0231947a664a96a5e419f0698011f3cf7e5e9f1dc73c9e00a42a98fde3dbe3bdd6d6f843

Download Submit
C:\Users\Admin\Desktop\UseSearch.wav
Filesize
261KB

MD5
4b343494d924cfcb6b89625c850d153d

SHA1
e0daf28e29e2d5d66c595dbdeef7a887c3f2e5aa

SHA256
7f0ed8bfb7e44f4813e857fcb243ffd3e46e9d6eb041ee7e0881f8897440df27

SHA512
8ec9e0d4806fa4c501b1e789e5beb743c562370a46abdb6d5957c851279499ffad46fa9c3fe8b751544db4e8a35884d69a9eff787dd4f404d570a2dc8e7b5e48

Download Submit
C:\Users\Admin\Desktop\UseUnblock.fon
Filesize
284KB

MD5
4408eade8c90a6efe713a95d539fbaff

SHA1
1f471839fbce42b885c267481b6abdeb9aa3f397

SHA256
3f26ccdd284b15d4b89c7545cbe03cd38d2c475d24b6dbf9ec6a851c07e17416

SHA512
7bb2b0bda3a79c956fedbc1c24add81c8763a0b4ea65b81ee9c7c9355039349aa70fd2937c056ea183b1824b35e5b2fa2b6fb7fa5484655f6fcd87df5d4c78c7

Download Submit
C:\Users\Admin\Desktop\WriteRevoke.xlsx
Filesize
11KB

MD5
3bb8e451ac21b9ef91d88b66acbf1cec

SHA1
d76dd4257506fe751f12bb8ff5f5ecff420a4560

SHA256
25f9f7d2ed670361b3faca49ef3486073ab088ceee1deed7185a86ce39164f2e

SHA512
e6c2dd75e394f8d3251a40165a95f4bdf1dcce195077d9f04cbb63d1017400f3b366adccdf98e2822b2c5043b0e8df495d97c0c072196a7f914d68317b480efd

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
Filesize
2KB

MD5
ae5a6fbc933b9d3930de8d2ffcc88d4e

SHA1
ff8e7b2eb4a05ba4434ca1e28436a1a078d8550e

SHA256
b55d7d1df66ce31b0f8ac7e538142504590f39e35ba0cfb94170df2cad58163e

SHA512
f0bbc6f826cb5cf359e51f6b8d365cc8f0e0f38af13f4fc3d5e34bb31c75bb34e0a793af04cd51fc8773e25f822e54083b196440d4d9809b316b201862f9f276

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
Filesize
1000B

MD5
97caeb17b7f19e3d0545d04334e12835

SHA1
f7fe19f8ba2fd173322423ed4c2feddfb100c7a6

SHA256
bd6bce6029ec5003e3406cec249ee534a15c031d1064bc7f4ed1e2a5a173c368

SHA512
d7e033223dbdaa7fcaa88f1ce77d49b6e4c824bfdf09193dfcb4a938e072e2fd74d2bdbea667ca9ec6bc457e23441a0b59c7c749ddb97013fc9c858136ec2986

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
c25d7b16bd8dd052597cf8a9b9f4f9fe

SHA1
9d03df501b47ae4bc4117b40d1835f2b06aacb75

SHA256
9a11a98e4703963e957563895b87f129097d568b4609284b055df4f5f601d446

SHA512
44b98df173448d4e43642423dd330b9d21c8d60ecd31cbcc06e9a74ae358a54677b85169009c88c279c68c6ce7c180769a52381efb43a6ea98fa5f9f5f90ae74

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
923B

MD5
3580b9f62c425569ae195f7485146247

SHA1
117c785108c43094c1c1eba546e24866dff149ef

SHA256
c32e486cadf5921a9211223e05d23f2e80ecd9e123972d22ccdd7e33961c4fc0

SHA512
eb17d7804a1763b820378085001cbbb4c26f81ce5069af357b2bf3c826cff2e59e4fcc967c04fc5eb3cbfe1efd09e18c7ee6974739dcb56e8e7676e054c466cc

Download Submit
memory/2804-5-0x00007FF8927A0000-0x00007FF893262000-memory.dmp

Filesize
10.8MB

Download
memory/2804-4-0x00000294644B0000-0x00000294649D8000-memory.dmp

Filesize
5.2MB

Download
memory/2804-3-0x00007FF8927A0000-0x00007FF893262000-memory.dmp

Filesize
10.8MB

Download
memory/2804-2-0x0000029463400000-0x00000294635C2000-memory.dmp

Filesize
1.8MB

Download
memory/2804-1-0x0000029448C20000-0x0000029448C38000-memory.dmp

Filesize
96KB

Download
memory/2804-0-0x00007FF8927A3000-0x00007FF8927A5000-memory.dmp

Filesize
8KB

Download