Overview

overview

10

Static

static

10

Discord rat.exe

windows10-2004-x64

Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 07:30

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Discord rat.exe

  • Size

    90KB

  • MD5

    8a32ab164cf21c25d14186558d1d0b39

  • SHA1

    e6bfcec636e3eefe571195a5b86ba45e4886fa3e

  • SHA256

    d77435a738ed56eb7f078bad23ef38a037dc762b1eaf5a4f6123c4251259cb69

  • SHA512

    1cfd11ef29dbe145931fbb18c185d3fa0fe25d01f449fe1188ef992388f5766e0f6c086534d4f036780602f6223c3d78c8cf50433ee2ab99e6512640b687a954

  • SSDEEP

    1536:xHaXnTwWMeuPJdtAqBkblZNEpqejw+jZpZbANrV+uexCxoKV6+fMsx:UsWMeuPy0kblbGqeUsZpZbANrV+bSMw

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1Njk1OTk3MzkyMjA1MDA0OA.GrCdzf.wkygkabj6BRMG0ExFn44Ch1ccIL8YyoEZeXNPE

  • server_id

    1256666099580403734

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4000
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/632-22-0x000002306B340000-0x000002306B341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-23-0x000002306B340000-0x000002306B341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-13-0x000002306B340000-0x000002306B341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-12-0x000002306B340000-0x000002306B341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-11-0x000002306B340000-0x000002306B341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-18-0x000002306B340000-0x000002306B341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-19-0x000002306B340000-0x000002306B341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-20-0x000002306B340000-0x000002306B341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-17-0x000002306B340000-0x000002306B341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-21-0x000002306B340000-0x000002306B341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4000-6-0x00007FFFAC0F3000-0x00007FFFAC0F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4000-3-0x00007FFFAC0F0000-0x00007FFFACBB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4000-0-0x0000022BC3100000-0x0000022BC311A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4000-2-0x0000022BDD710000-0x0000022BDD8D2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4000-7-0x00007FFFAC0F0000-0x00007FFFACBB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4000-5-0x0000022BDDBD0000-0x0000022BDDD79000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4000-1-0x00007FFFAC0F3000-0x00007FFFAC0F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4000-4-0x0000022BDDF50000-0x0000022BDE478000-memory.dmp

    Filesize

    5.2MB

    Download