discordrat | 3b74433cf5326f6773070b943440bdcd7e609136a9a68e0de20d753323233a66

General

Target

3b74433cf5326f6773070b943440bdcd7e609136a9a68e0de20d753323233a66N.exe
Size

78KB
Sample

241128-jzklzsxldk
MD5

4781cac193ef3fa4fe29f7c673d22bc0
SHA1

8d95b6a01e69e7f03c14640e985493e080b6a24c
SHA256

3b74433cf5326f6773070b943440bdcd7e609136a9a68e0de20d753323233a66
SHA512

a18de2e8077ca165fb2f8f3efdaf2bc89bda3106e39c3ac98b4682f2fc7bd6abddd7217748506edf4d55a495a5fe9079dafbe8dccdf377c65bc5ef2f3d79d05d
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+kPIC:5Zv5PDwbjNrmAE+4IC

Score

10^/10

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwOTYxMDc0MTgzNzU5NDcwNQ.GjVcMg.PxEOfc7OAMHHzxt0OgOgfExaZIarA9jXdHoqTI
server_id
1309598138776162314

Targets

- Target
  
  3b74433cf5326f6773070b943440bdcd7e609136a9a68e0de20d753323233a66N.exe
- Size
  
  78KB
- MD5
  
  4781cac193ef3fa4fe29f7c673d22bc0
- SHA1
  
  8d95b6a01e69e7f03c14640e985493e080b6a24c
- SHA256
  
  3b74433cf5326f6773070b943440bdcd7e609136a9a68e0de20d753323233a66
- SHA512
  
  a18de2e8077ca165fb2f8f3efdaf2bc89bda3106e39c3ac98b4682f2fc7bd6abddd7217748506edf4d55a495a5fe9079dafbe8dccdf377c65bc5ef2f3d79d05d
- SSDEEP
  
  1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+kPIC:5Zv5PDwbjNrmAE+4IC
Score

10^/10

discordrat discovery evasion persistence phishing privilege_escalation ransomware rat rootkit spyware stealer trojan
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Renames multiple (294) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- A potential corporate email address has been identified in the URL: 6633dd5dcff475e6fb744426_&@2x.png
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
behavioral1