discordrat | 817895843ca79f95bba330777c459800172c0953b15382b07805d518d4b9221c

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-12-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

freecleaner.exe
Size

78KB
MD5

6eeeeea18017474e2e4da3c7810a05d3
SHA1

f2650b7e5e6183d93be9c07d545bbb635a9e75a8
SHA256

817895843ca79f95bba330777c459800172c0953b15382b07805d518d4b9221c
SHA512

3724cee41bd0905aa7bb7dd951fb20b6dcc6eb374c40975eb7252fcf42eac6a5ccf92b6bce09279f5da223fb4a941c52135fafd510378e2fe5f9009bd2b88593
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+sPIC:5Zv5PDwbjNrmAE+AIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxNzU0MjQwODMzMzk1MTA3Nw.GX_hdt.w7AebodV0QCNM96Rr6RqNH51ig5Z6JeW_6T6NI
server_id
1317542263232004146

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	freecleaner.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4852	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\freecleaner.exe
"C:\Users\Admin\AppData\Local\Temp\freecleaner.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b66799d715b113faf28da5aaba5528ef

SHA1
1b20576808d17c24f7abf2c49a7facfbc1480da4

SHA256
bb7ed85e7a1833e5a31d62882937ee6b094f2421b9d1c8d9b6e64b9845b29868

SHA512
93d4708a2f4bb3ca7b5bcb0f3dc13eb5e93bfa5e485845822d67770e4c0217797f330ab9395598b1d7452cc8191e4d3848a1b268a6cd1b7a5001266ce53794d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
77a8b2c86dd26c214bc11c989789b62d

SHA1
8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499

SHA256
e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8

SHA512
c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

Download Submit
memory/2740-0-0x00007FFA50573000-0x00007FFA50575000-memory.dmp

Filesize
8KB

Download
memory/2740-1-0x000001CFC7CA0000-0x000001CFC7CB8000-memory.dmp

Filesize
96KB

Download
memory/2740-2-0x000001CFE2420000-0x000001CFE25E2000-memory.dmp

Filesize
1.8MB

Download
memory/2740-3-0x00007FFA50570000-0x00007FFA51032000-memory.dmp

Filesize
10.8MB

Download
memory/2740-4-0x000001CFE36F0000-0x000001CFE3C18000-memory.dmp

Filesize
5.2MB

Download
memory/2740-25-0x00007FFA50573000-0x00007FFA50575000-memory.dmp

Filesize
8KB

Download
memory/2740-26-0x00007FFA50570000-0x00007FFA51032000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads