discordrat | 817895843ca79f95bba330777c459800172c0953b15382b07805d518d4b9221c

Analysis

max time kernel
146s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
14-12-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

freecleaner.exe
Size

78KB
MD5

6eeeeea18017474e2e4da3c7810a05d3
SHA1

f2650b7e5e6183d93be9c07d545bbb635a9e75a8
SHA256

817895843ca79f95bba330777c459800172c0953b15382b07805d518d4b9221c
SHA512

3724cee41bd0905aa7bb7dd951fb20b6dcc6eb374c40975eb7252fcf42eac6a5ccf92b6bce09279f5da223fb4a941c52135fafd510378e2fe5f9009bd2b88593
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+sPIC:5Zv5PDwbjNrmAE+AIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxNzU0MjQwODMzMzk1MTA3Nw.GX_hdt.w7AebodV0QCNM96Rr6RqNH51ig5Z6JeW_6T6NI
server_id
1317542263232004146

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	freecleaner.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3020	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\freecleaner.exe
"C:\Users\Admin\AppData\Local\Temp\freecleaner.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
964219fcbf4c1e0008bc5e05686367a9

SHA1
685a0b860afbfd43305bc67763e41b296a22ba8b

SHA256
4f4388ce8c3055db4827ad4b6d7d6ffc7bead99955a3fbe44ab3a5454651ae25

SHA512
2745f64b2bd54740a5c1f754785c39eeda9b6b5112707cc8630ba188638442de7c636446f750aeb340905d9da26f96ee4e7f7c96e2b690058ce29d7b6efe8c16

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1301a13a0b62ba61652cdbf2d61f80fa

SHA1
1911d1f0d097e8f5275a29e17b0bcef305df1d9e

SHA256
7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

SHA512
66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

Download Submit
memory/4292-0-0x00007FFF67D53000-0x00007FFF67D55000-memory.dmp

Filesize
8KB

Download
memory/4292-1-0x000002A47D1C0000-0x000002A47D1D8000-memory.dmp

Filesize
96KB

Download
memory/4292-2-0x000002A47F840000-0x000002A47FA02000-memory.dmp

Filesize
1.8MB

Download
memory/4292-3-0x00007FFF67D50000-0x00007FFF68812000-memory.dmp

Filesize
10.8MB

Download
memory/4292-4-0x000002A4192B0000-0x000002A4197D8000-memory.dmp

Filesize
5.2MB

Download
memory/4292-12-0x00007FFF67D53000-0x00007FFF67D55000-memory.dmp

Filesize
8KB

Download
memory/4292-25-0x00007FFF67D50000-0x00007FFF68812000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads