discordrat | 658f91835d7daa63b43d3c618ade30f2444171fdd5c1dbfeefc287b2c5582921

Resubmissions

08-07-2024 14:42

240708-r28qlawfpe 10

18-06-2024 22:36

240618-2jdslsselj 10

18-06-2024 22:35

240618-2hrm3ssejm 10

Analysis

max time kernel
193s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release/Release/Discord rat.exe
Size

79KB
MD5

d13905e018eb965ded2e28ba0ab257b5
SHA1

6d7fe69566fddc69b33d698591c9a2c70d834858
SHA256

2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec
SHA512

b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb
SSDEEP

1536:YCH0jBD2BKkwbPNrfxCXhRoKV6+V+y9viwp:VUjBD2BPwbPNrmAE+MqU

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2932	powershell.exe
2932	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3784	Discord rat.exe
Token: SeDebugPrivilege	4828	Discord rat.exe
Token: SeDebugPrivilege	3856	Discord rat.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	212	Discord rat.exe
Token: SeDebugPrivilege	3588	dr.exe
Token: SeDebugPrivilege	772	dr.exe
Token: SeDebugPrivilege	2192	dr.exe
Token: SeDebugPrivilege	3824	dr.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 212	2932	powershell.exe	98
PID 2932 wrote to memory of 212	2932	powershell.exe	98
PID 2932 wrote to memory of 3588	2932	powershell.exe	100
PID 2932 wrote to memory of 3588	2932	powershell.exe	100
PID 2932 wrote to memory of 772	2932	powershell.exe	101
PID 2932 wrote to memory of 772	2932	powershell.exe	101
PID 2932 wrote to memory of 2192	2932	powershell.exe	102
PID 2932 wrote to memory of 2192	2932	powershell.exe	102
PID 2932 wrote to memory of 3824	2932	powershell.exe	103
PID 2932 wrote to memory of 3824	2932	powershell.exe	103

C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\Desktop\Discord rat.exe
  "C:\Users\Admin\Desktop\Discord rat.exe" -h
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Users\Admin\Desktop\dr.exe
  "C:\Users\Admin\Desktop\dr.exe" -h
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- C:\Users\Admin\Desktop\dr.exe
  "C:\Users\Admin\Desktop\dr.exe" --help
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Users\Admin\Desktop\dr.exe
  "C:\Users\Admin\Desktop\dr.exe" -help
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Users\Admin\Desktop\dr.exe
  "C:\Users\Admin\Desktop\dr.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d5fvyax3.g53.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2932-13-0x000001504A670000-0x000001504A692000-memory.dmp

Filesize
136KB

Download
memory/2932-25-0x0000015062FF0000-0x000001506300E000-memory.dmp

Filesize
120KB

Download
memory/2932-24-0x0000015063030000-0x00000150630A6000-memory.dmp

Filesize
472KB

Download
memory/2932-23-0x0000015062F60000-0x0000015062FA4000-memory.dmp

Filesize
272KB

Download
memory/3784-4-0x0000019AED750000-0x0000019AEDC78000-memory.dmp

Filesize
5.2MB

Download
memory/3784-6-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp

Filesize
10.8MB

Download
memory/3784-5-0x00007FFCFCF03000-0x00007FFCFCF05000-memory.dmp

Filesize
8KB

Download
memory/3784-1-0x0000019AD2770000-0x0000019AD2788000-memory.dmp

Filesize
96KB

Download
memory/3784-3-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp

Filesize
10.8MB

Download
memory/3784-2-0x0000019AECE70000-0x0000019AED032000-memory.dmp

Filesize
1.8MB

Download
memory/3784-0-0x00007FFCFCF03000-0x00007FFCFCF05000-memory.dmp

Filesize
8KB

Download
memory/4828-7-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-8-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-9-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-10-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp

Filesize
10.8MB

Download