discordrat | 2dfa94516c05d3c6935602e96e7e93f29f43c1f3ea57d16da051d22a56e1d9cf

Analysis

max time kernel
134s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-08-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

backdoor.exe
Size

78KB
MD5

c0459f1b10e851cfddc7ddc21a0b3d1f
SHA1

d76fc32d3797c453f5bec0d9c76534ddcd7db724
SHA256

2dfa94516c05d3c6935602e96e7e93f29f43c1f3ea57d16da051d22a56e1d9cf
SHA512

3094d6902b479581bbc28d5f26910a67ad9aa0671657ba3581532ca50c67ab6c8dd29121bb0e7cc23827dfc92166aea28ce52e52b91a4ab8e9b073bdbdf16c38
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+7PIC:5Zv5PDwbjNrmAE+zIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2OTIyMjMyMjIyOTczOTUzMg.GyI708.Ijt-1CqRhtizkyYbNU0tX2q9hIir5_GAAhlryk
server_id
1268848189814079488

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
4	discord.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	600	backdoor.exe

C:\Users\Admin\AppData\Local\Temp\backdoor.exe
"C:\Users\Admin\AppData\Local\Temp\backdoor.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-0-0x000001FAEC880000-0x000001FAEC898000-memory.dmp

Filesize
96KB

Download
memory/600-1-0x00007FFA2ACB3000-0x00007FFA2ACB4000-memory.dmp

Filesize
4KB

Download
memory/600-2-0x000001FAEEF10000-0x000001FAEF0D2000-memory.dmp

Filesize
1.8MB

Download
memory/600-3-0x00007FFA2ACB0000-0x00007FFA2B69C000-memory.dmp

Filesize
9.9MB

Download
memory/600-4-0x000001FAEF710000-0x000001FAEFC36000-memory.dmp

Filesize
5.1MB

Download
memory/600-5-0x00007FFA2ACB3000-0x00007FFA2ACB4000-memory.dmp

Filesize
4KB

Download
memory/600-6-0x00007FFA2ACB0000-0x00007FFA2B69C000-memory.dmp

Filesize
9.9MB

Download