discordrat | 6b6c92ccb9752329a838ad2a79484bc1bb83e94fb997712808108340bb3617c9

Analysis

max time kernel
14s
max time network
26s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-08-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox nice wallpaper PC 4K‮gpj.exe
Size

525KB
MD5

614716c4f52130c13f4a8b8f245ae85f
SHA1

6375084924bbe5d378a9f36944224b03ae20d503
SHA256

6b6c92ccb9752329a838ad2a79484bc1bb83e94fb997712808108340bb3617c9
SHA512

583635f6fa7d7b23ed7fc7bbbe41e697b56ce6ef931f953ab603b31bb81f1b6ac510caf17a886eec6db69c206f405116ab5d757365d0a4aa0be73dd8fe213622
SSDEEP

12288:jyveQB/fTHIGaPkKEYzURNAwbAg8Bhd8/APuf+qQ+:juDXTIGaPhEYzUzA0qS/APuf+qQ+

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3NjIwMDE1NTc2MjM5NzI5Nw.Gf_BR-.jnyabVpo-_wlglvaEtXc_eHkRrFGBBqCy_X7zg
server_id
1276200065106579466

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2800	Roblox nice wallpaper PC 4K.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	Roblox nice wallpaper PC 4K.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 2800	3496	Roblox nice wallpaper PC 4K‮gpj.exe	82
PID 3496 wrote to memory of 2800	3496	Roblox nice wallpaper PC 4K‮gpj.exe	82

C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K‮gpj.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Roblox nice wallpaper PC 4K.exe

Filesize
78KB

MD5
ba416f6d574b900d390ebe54d2534d62

SHA1
5c2b419426e7ee98de2542d02ccbda2bfcd8db13

SHA256
d379e9094225a79ff41971d62fdba48524f60e76e36a878a6268c61096b3514c

SHA512
48568ea8a7b10579f87df74bec88ed33fee3d0c410b5005b32f87b19db657c71ac326bb8ef4af1f9af4bdf8e0c230ed7bc60d8ac3b7edcf8a4348e528d3edb19

Download Submit
memory/2800-12-0x00007FFB5A033000-0x00007FFB5A035000-memory.dmp

Filesize
8KB

Download
memory/2800-13-0x000001BF8F010000-0x000001BF8F028000-memory.dmp

Filesize
96KB

Download
memory/2800-14-0x000001BFA9670000-0x000001BFA9832000-memory.dmp

Filesize
1.8MB

Download
memory/2800-15-0x00007FFB5A030000-0x00007FFB5AAF2000-memory.dmp

Filesize
10.8MB

Download
memory/2800-16-0x000001BFAAA40000-0x000001BFAAF68000-memory.dmp

Filesize
5.2MB

Download
memory/2800-17-0x00007FFB5A033000-0x00007FFB5A035000-memory.dmp

Filesize
8KB

Download
memory/2800-18-0x00007FFB5A030000-0x00007FFB5AAF2000-memory.dmp

Filesize
10.8MB

Download