discordrat | hxxps://mega[.]nz/file/1UZxiDhI#3I2TwpY9U8SZXYQmbtvAoVUoN63T_sR1TsPTIjU3BYI

General

Target

https://mega.nz/file/1UZxiDhI#3I2TwpY9U8SZXYQmbtvAoVUoN63T_sR1TsPTIjU3BYI

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MDA4NTEyNjUyODgzMTUxMQ.Gw7axc.eDjVgfX57Vq29U5wfvpEp1ZNwvynufmC27K-yM
server_id
1290085964475007130

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1008	Wave.exe
2436	Wave.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs

Web Service

T1102

flow	ioc
104	discord.com
140	raw.githubusercontent.com
111	discord.com
116	discord.com
118	discord.com
147	discord.com
151	raw.githubusercontent.com
153	discord.com
138	discord.com
139	raw.githubusercontent.com
142	discord.com
144	discord.com
152	discord.com
103	discord.com
141	discord.com
145	discord.com
146	discord.com

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1500	AUDIODG.EXE
Token: SeDebugPrivilege	1008	Wave.exe
Token: SeDebugPrivilege	2436	Wave.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3736	Wave Executor.exe
1760	Wave Executor.exe
2224	Wave Executor.exe
1836	Wave Executor.exe
4820	Wave Executor.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1008	1836	Wave Executor.exe	106
PID 1836 wrote to memory of 1008	1836	Wave Executor.exe	106
PID 4820 wrote to memory of 2436	4820	Wave Executor.exe	112
PID 4820 wrote to memory of 2436	4820	Wave Executor.exe	112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/1UZxiDhI#3I2TwpY9U8SZXYQmbtvAoVUoN63T_sR1TsPTIjU3BYI
1⤵
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=756,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3796 /prefetch:1
1⤵
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=1304,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:1
1⤵
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5372,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8
1⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5356,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5440 /prefetch:8
1⤵
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5860,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5872 /prefetch:8
1⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --field-trial-handle=5960,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=5932 /prefetch:8
1⤵
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6196,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:8
1⤵
PID:3376

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6708,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:8
1⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6716,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:1
1⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7280,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=7268 /prefetch:8
1⤵
PID:2220

C:\Users\Admin\Downloads\Wave Executor.exe
"C:\Users\Admin\Downloads\Wave Executor.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Users\Admin\Downloads\Wave Executor.exe
"C:\Users\Admin\Downloads\Wave Executor.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Users\Admin\Downloads\Wave Executor.exe
"C:\Users\Admin\Downloads\Wave Executor.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Users\Admin\Downloads\Wave Executor.exe
"C:\Users\Admin\Downloads\Wave Executor.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\RarSFX3\Wave.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Wave.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1008

C:\Users\Admin\Downloads\Wave Executor.exe
"C:\Users\Admin\Downloads\Wave Executor.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\RarSFX4\Wave.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Wave.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6624,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:8
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX2\El_Gato_Original.png

Filesize
27KB

MD5
a3ecd8fb967d9a8cb4f96cd8680536cc

SHA1
cdf26ac06b737718bfd40db37f5d3e90afe71b48

SHA256
e46756a69e41a1ee74c428aff0bbb537844d80046fa860159eff341026dc8dca

SHA512
8b4800a4fe82467ab3003a4d2de9c0cc7d66c5c386221a00650f8862686cc61cf7805d9d5eb2126a1a88e430e8f0d7894a9b847906a6ae483aa5b661662fb2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Wave.exe

Filesize
78KB

MD5
7a535ac9af618ba9d847706ee1ce3882

SHA1
01e489f099620dc7056d7f770860d72c21d74c07

SHA256
9ab588f54d35b6ce3488ef1af4551d6a6c5e31b8d9d3fce0eca01be5d3e7a2bc

SHA512
042be4d0a45e1261e3ad78c8bc03dd6bb3977a3a229aa179155b6826b94c1bedb39b8e29c57005d708deb2e08d173aeefdc7c552b815e2f1507a6eb079573e26

Download Submit
memory/1008-26-0x0000023AD7350000-0x0000023AD7368000-memory.dmp

Filesize
96KB

Download
memory/1008-27-0x0000023AF1950000-0x0000023AF1B12000-memory.dmp

Filesize
1.8MB

Download
memory/1008-28-0x0000023AF2B40000-0x0000023AF3068000-memory.dmp

Filesize
5.2MB

Download
memory/1008-43-0x0000023AF1780000-0x0000023AF1882000-memory.dmp

Filesize
1.0MB

Download
memory/1008-45-0x0000023AF2610000-0x0000023AF2686000-memory.dmp

Filesize
472KB

Download
memory/1008-46-0x0000023AF1890000-0x0000023AF18A2000-memory.dmp

Filesize
72KB

Download
memory/1008-47-0x0000023AF18C0000-0x0000023AF18DE000-memory.dmp

Filesize
120KB

Download
memory/1008-51-0x0000023AF18E0000-0x0000023AF18EE000-memory.dmp

Filesize
56KB

Download
memory/2436-44-0x0000018E6D730000-0x0000018E6D832000-memory.dmp

Filesize
1.0MB

Download

Resubmissions

Analysis

Sharing