discordrat | 132a57ab50e5d15698b9a99929d0f118cad13f7353eb723daa41e1b853354476

Analysis

max time kernel
140s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord Token Grabber.exe
Size

78KB
MD5

38801e10701a6f739024f8e0c7f96d5b
SHA1

264f13f2dd1a5c0a6c680d1f5f590c346547b2fe
SHA256

132a57ab50e5d15698b9a99929d0f118cad13f7353eb723daa41e1b853354476
SHA512

e234044d480e02d99c80a24d50846ec8c870411da2ac725f30309783bc8be589c5bcea70fc43f44db402cf73a63f9a562963107e3367b3090ffda438e567dc8c
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+NPIC:5Zv5PDwbjNrmAE+dIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwMTE2OTIzMjM0MDE4OTIxNA.Gys-q1.tKKJx97VdW_Z7GSgMrKzoWfeRvK3AWWfcSFxhc
server_id
1201170015383191592

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	discord.com
11	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
264	msedge.exe
264	msedge.exe
4396	msedge.exe
4396	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4396	msedge.exe
4396	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	Discord Token Grabber.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe
4396	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 1540	4396	msedge.exe	102
PID 4396 wrote to memory of 1540	4396	msedge.exe	102
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 868	4396	msedge.exe	103
PID 4396 wrote to memory of 264	4396	msedge.exe	104
PID 4396 wrote to memory of 264	4396	msedge.exe	104
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105
PID 4396 wrote to memory of 3032	4396	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\Discord Token Grabber.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Token Grabber.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\ImportStart.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdff2f46f8,0x7ffdff2f4708,0x7ffdff2f4718
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,8341271703305049646,10818198933548949332,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,8341271703305049646,10818198933548949332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,8341271703305049646,10818198933548949332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,8341271703305049646,10818198933548949332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,8341271703305049646,10818198933548949332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20ac72944f1d44249fbb70f92c076f60

SHA1
227e74ee257b2d1de8bceca4398e8a529ac0ea45

SHA256
6276f0c73d2eea694bc540eaeae826103f557c8db75bb79ccd763f6bdea7c9e3

SHA512
c845d8d2e1a03aa2f377f0ee115d8bcba7ff40c9c399577e5a0699e6c69dcbcd929b3d938b1cfd68ac53558f737f45bc72d40285b9da843caff0930c545c3adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2aef6da5b11c33f5fd5b4496b7ed0703

SHA1
5fa9e1d748627805acd9de0f4865240d00e49810

SHA256
b2907708d48838c818c4932bbc970ed6d617795291e7bf5e697bbfd070998750

SHA512
b812b6d232abbe073dc0a1f6fba02f3846ecfd771c88ad9d86f9a5037afd598af28ab7bec484cb6b4f015a4b7de67ee11197c2e1e9875475e8f3103d465e1f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
39bc8c33a249016fc8b9790e3738624b

SHA1
23633c56652a8b6b2e0b04be87b565e84dda87f9

SHA256
598e559933d1a5595ae8d4876172a27fa7d9ed93a921ad6c317b8fa1554df185

SHA512
bbc6f8e9d8afb7e587938193d956c738e264cdafaaba093f3bde4bf5280cd8be2adee8c65d982e2310029a5eb8f491ddab64dfaf2d3a748bf657069570e85e53

Download Submit
memory/4464-3-0x00007FFE06700000-0x00007FFE071C1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-6-0x00007FFE06700000-0x00007FFE071C1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-5-0x00007FFE06703000-0x00007FFE06705000-memory.dmp

Filesize
8KB

Download
memory/4464-4-0x0000020BB2060000-0x0000020BB2588000-memory.dmp

Filesize
5.2MB

Download
memory/4464-0-0x00007FFE06703000-0x00007FFE06705000-memory.dmp

Filesize
8KB

Download
memory/4464-2-0x0000020BB1960000-0x0000020BB1B22000-memory.dmp

Filesize
1.8MB

Download
memory/4464-1-0x0000020B971C0000-0x0000020B971D8000-memory.dmp

Filesize
96KB

Download