discordrat | c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

Analysis

max time kernel
129s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
17/08/2024, 12:35

Target

Release/Discord rat.exe
Size

79KB
MD5

d13905e018eb965ded2e28ba0ab257b5
SHA1

6d7fe69566fddc69b33d698591c9a2c70d834858
SHA256

2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec
SHA512

b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb
SSDEEP

1536:YCH0jBD2BKkwbPNrfxCXhRoKV6+V+y9viwp:VUjBD2BPwbPNrmAE+MqU

Score

10^/10

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	Discord rat.exe

C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4200

memory/1848-0-0x00007FFD9F733000-0x00007FFD9F734000-memory.dmp

Filesize
4KB

Download
memory/1848-1-0x0000016FD29A0000-0x0000016FD29B8000-memory.dmp

Filesize
96KB

Download
memory/1848-2-0x0000016FED020000-0x0000016FED1E2000-memory.dmp

Filesize
1.8MB

Download
memory/1848-3-0x00007FFD9F730000-0x00007FFDA011C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-4-0x0000016FED820000-0x0000016FEDD46000-memory.dmp

Filesize
5.1MB

Download
memory/1848-5-0x00007FFD9F733000-0x00007FFD9F734000-memory.dmp

Filesize
4KB

Download
memory/1848-6-0x00007FFD9F730000-0x00007FFDA011C000-memory.dmp

Filesize
9.9MB

Download