discordrat | 848461762e8e088552937dae402e602823a8fe71825d7e7b78906b8fe63f48ab

Analysis

max time kernel
38s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 05:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

11b2efacd2363d0961eac810e8e64e82
SHA1

6c495dbfe4fdeed6598fb095ebe18d9855ac9135
SHA256

848461762e8e088552937dae402e602823a8fe71825d7e7b78906b8fe63f48ab
SHA512

81322bfdcc8c590551c727cbbc59ce1ee8004b018a58bd45e08f0aab2329aedc913ebaac3f4aadbb76f3bdfbd05107001f2019351855b6fee76ea020c4251a40
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxNTgyOTU4NTc4NjQzNzY0NA.GDrlZE.E07eQJCdnIGK538I7TwnlPOFd1M8TZJDMM9qBw
server_id
1315830690436349982

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
31	discord.com
9	discord.com
14	discord.com
29	discord.com
32	discord.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com
35	discord.com
36	discord.com
20	discord.com
28	discord.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	Client-built.exe
Token: SeShutdownPrivilege	2468	Client-built.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-0-0x00007FFD50683000-0x00007FFD50685000-memory.dmp

Filesize
8KB

Download
memory/2468-1-0x00000220D7690000-0x00000220D76A8000-memory.dmp

Filesize
96KB

Download
memory/2468-2-0x00000220F1CE0000-0x00000220F1EA2000-memory.dmp

Filesize
1.8MB

Download
memory/2468-3-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

Filesize
10.8MB

Download
memory/2468-4-0x00000220F24E0000-0x00000220F2A08000-memory.dmp

Filesize
5.2MB

Download
memory/2468-5-0x00007FFD50683000-0x00007FFD50685000-memory.dmp

Filesize
8KB

Download
memory/2468-6-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

Filesize
10.8MB

Download
memory/2468-7-0x00000220D9310000-0x00000220D931E000-memory.dmp

Filesize
56KB

Download