discordrat | 854d608165b291d469b2512be40803242d9379ef58087da9096f3ee93da37920

Analysis

max time kernel
191s
max time network
194s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
08-07-2024 18:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Test.exe
Size

78KB
MD5

bbbb9f0fb811b0428806262bda7deae4
SHA1

f6ca297ca8b2d3aa499a9e24a51de252f7f35276
SHA256

854d608165b291d469b2512be40803242d9379ef58087da9096f3ee93da37920
SHA512

bba651156550bc001f41156766d80046aa6e5dd755c9af2e037c81922175c61513a2c94081c9942a1d749c9c712ac7f24ff86be181962874f684e1b19bfba2b2
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC

Score

10^/10

discordrat persistence ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NzY0ODI3NjkwNDI4NDIxMQ.GzYU-o.gTVjR5kc0qgiHq8KPJLw_Xg1mnEgJyOsa1wDxU
server_id
1247801636122787851

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
13	discord.com
15	discord.com
16	discord.com
6	discord.com
20	discord.com
1	discord.com
8	discord.com
11	discord.com
19	discord.com
4	discord.com
7	discord.com
9	discord.com
10	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-299327586-1226193722-3477828593-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp998C.tmp.png"	Test.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	Test.exe
Token: SeShutdownPrivilege	1036	Test.exe

C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact