discordrat | 4b3249c78c50f2f2cdb9befa5a8a0c6f1060f617d4baa0602e8bff3bb91c8cc8

Analysis

max time kernel
63s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

net6.0/HardAntiCheat.exe
Size

147KB
MD5

26cbc4c30f31bf1f3038edab23ebb203
SHA1

def825211a357f4a195c45e469edc7d52a713b09
SHA256

d47c9ed0a5f0ddce20c786251eedfe119e929f6c9d9aaf835fc3f472b8e4a724
SHA512

7c960d654473c66efe0e66f73a6ff9177eccdbeb6baeda6b56cc34b4630db4bf5f90ac3c08f875ddda646e64d4822e8eadaf487ea2dc497d1fffb075532805a6
SSDEEP

3072:K5vnr5Tbx829UOeKnn2LFzZBp13u36wKp4FULCzo1:KBKjK2LFzZNf+UL2

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwOTYxMDc0MTgzNzU5NDcwNQ.GjVcMg.PxEOfc7OAMHHzxt0OgOgfExaZIarA9jXdHoqTI
server_id
1309598138776162314

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2808	Celestial.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
25	discord.com
31	discord.com
32	discord.com
33	discord.com
34	discord.com
19	discord.com
20	discord.com

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4520	HardAntiCheat.exe
4520	HardAntiCheat.exe
4520	HardAntiCheat.exe
4520	HardAntiCheat.exe
4520	HardAntiCheat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4520	HardAntiCheat.exe
Token: SeDebugPrivilege	2808	Celestial.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 2808	4520	HardAntiCheat.exe	83
PID 4520 wrote to memory of 2808	4520	HardAntiCheat.exe	83

C:\Users\Admin\AppData\Local\Temp\net6.0\HardAntiCheat.exe
"C:\Users\Admin\AppData\Local\Temp\net6.0\HardAntiCheat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\Celestial.exe
  "C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Celestial.exe

Filesize
78KB

MD5
4781cac193ef3fa4fe29f7c673d22bc0

SHA1
8d95b6a01e69e7f03c14640e985493e080b6a24c

SHA256
3b74433cf5326f6773070b943440bdcd7e609136a9a68e0de20d753323233a66

SHA512
a18de2e8077ca165fb2f8f3efdaf2bc89bda3106e39c3ac98b4682f2fc7bd6abddd7217748506edf4d55a495a5fe9079dafbe8dccdf377c65bc5ef2f3d79d05d

Download Submit
memory/2808-7-0x000001B3F92C0000-0x000001B3F9482000-memory.dmp

Filesize
1.8MB

Download
memory/2808-6-0x00007FF8CD133000-0x00007FF8CD135000-memory.dmp

Filesize
8KB

Download
memory/2808-5-0x000001B3DEC30000-0x000001B3DEC48000-memory.dmp

Filesize
96KB

Download
memory/2808-8-0x00007FF8CD130000-0x00007FF8CDBF1000-memory.dmp

Filesize
10.8MB

Download
memory/2808-9-0x000001B3F9AC0000-0x000001B3F9FE8000-memory.dmp

Filesize
5.2MB

Download
memory/2808-10-0x00007FF8CD133000-0x00007FF8CD135000-memory.dmp

Filesize
8KB

Download
memory/2808-11-0x00007FF8CD130000-0x00007FF8CDBF1000-memory.dmp

Filesize
10.8MB

Download
memory/4520-0-0x00007FF8CEA1B000-0x00007FF8CEA1C000-memory.dmp

Filesize
4KB

Download