discordrat | 1d184c635a032625f10639ec3458a6f8d0a36a6a82078a11b820924f39056080

Resubmissions

12-12-2024 19:55

241212-ym8klsxnfp 10

12-12-2024 19:20

12-12-2024 19:16

12-12-2024 19:16

12-12-2024 18:49

12-12-2024 18:46

12-12-2024 18:39

12-12-2024 18:27

Analysis

max time kernel
88s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 19:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

mta.exe
Size

98KB
MD5

778dce14368e8b1105544c43ce09d2f1
SHA1

81c7cc17d48b8c5e6e5b9cc1efc8bbae1646dcb0
SHA256

1d184c635a032625f10639ec3458a6f8d0a36a6a82078a11b820924f39056080
SHA512

31a517a024726bef90c60c05173852de117e27960e981ec92456e6a3e4c0b6ac50437b8bfd2ced7afbad2a81c3e00a4c9bd5622af2236f3ae37856d6fd9d4aab
SSDEEP

1536:Vic45PApy/vpjAnT9ZqzY4r5VVZDAcE3VCQfwbJ6Pr5+NzxCxoKV6+UyNV:AxApgR8T9EE4r5n8rwbJ6Pr5+zNyj

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/3944-1-0x000001EE2FEA0000-0x000001EE2FEBC000-memory.dmp	disable_win_def

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
33	discord.com
48	discord.com
50	discord.com
51	discord.com
53	discord.com
11	discord.com
32	discord.com
59	discord.com
52	discord.com
57	discord.com
19	discord.com
63	discord.com
43	discord.com
49	discord.com
58	discord.com
60	discord.com
61	discord.com
62	discord.com
10	discord.com
39	discord.com
64	discord.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	mta.exe
Token: SeShutdownPrivilege	3944	mta.exe

C:\Users\Admin\AppData\Local\Temp\mta.exe
"C:\Users\Admin\AppData\Local\Temp\mta.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3944-0-0x00007FF849A43000-0x00007FF849A45000-memory.dmp

Filesize
8KB

Download
memory/3944-1-0x000001EE2FEA0000-0x000001EE2FEBC000-memory.dmp

Filesize
112KB

Download
memory/3944-2-0x000001EE4A470000-0x000001EE4A632000-memory.dmp

Filesize
1.8MB

Download
memory/3944-3-0x00007FF849A40000-0x00007FF84A501000-memory.dmp

Filesize
10.8MB

Download
memory/3944-4-0x000001EE4AC70000-0x000001EE4B198000-memory.dmp

Filesize
5.2MB

Download
memory/3944-5-0x00007FF849A43000-0x00007FF849A45000-memory.dmp

Filesize
8KB

Download
memory/3944-6-0x00007FF849A40000-0x00007FF84A501000-memory.dmp

Filesize
10.8MB

Download
memory/3944-7-0x000001EE4A830000-0x000001EE4A9D9000-memory.dmp

Filesize
1.7MB

Download
memory/3944-8-0x000001EE4A830000-0x000001EE4A9D9000-memory.dmp

Filesize
1.7MB

Download
memory/3944-9-0x000001EE4A830000-0x000001EE4A9D9000-memory.dmp

Filesize
1.7MB

Download
memory/3944-10-0x000001EE4A830000-0x000001EE4A9D9000-memory.dmp

Filesize
1.7MB

Download
memory/3944-11-0x000001EE4A830000-0x000001EE4A9D9000-memory.dmp

Filesize
1.7MB

Download
memory/3944-12-0x000001EE4A830000-0x000001EE4A9D9000-memory.dmp

Filesize
1.7MB

Download