Analysis
-
max time kernel
63s -
max time network
66s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
23-12-2024 12:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip
Resource
win10ltsc2021-20241211-en
General
-
Target
https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip
Malware Config
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Executes dropped EXE 1 IoCs
pid Process 4520 Client-built.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\release.zip:Zone.Identifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 824 firefox.exe Token: SeDebugPrivilege 824 firefox.exe Token: SeDebugPrivilege 824 firefox.exe Token: SeDebugPrivilege 4512 Discord rat.exe Token: SeDebugPrivilege 4520 Client-built.exe Token: SeDebugPrivilege 1516 Discord rat.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 824 firefox.exe 824 firefox.exe 824 firefox.exe 824 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 1228 wrote to memory of 824 1228 firefox.exe 83 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 1348 824 firefox.exe 84 PID 824 wrote to memory of 2632 824 firefox.exe 85 PID 824 wrote to memory of 2632 824 firefox.exe 85 PID 824 wrote to memory of 2632 824 firefox.exe 85 PID 824 wrote to memory of 2632 824 firefox.exe 85 PID 824 wrote to memory of 2632 824 firefox.exe 85 PID 824 wrote to memory of 2632 824 firefox.exe 85 PID 824 wrote to memory of 2632 824 firefox.exe 85 PID 824 wrote to memory of 2632 824 firefox.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip"1⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a221f531-be84-4f7b-b8dd-56ed56d5e345} 824 "\\.\pipe\gecko-crash-server-pipe.824" gpu3⤵PID:1348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 24759 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c71f01f4-b5f9-4bd8-ac0e-898d5570d5eb} 824 "\\.\pipe\gecko-crash-server-pipe.824" socket3⤵
- Checks processor information in registry
PID:2632
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 3112 -prefsLen 22700 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {923bd528-09f0-4475-9a8a-cb18fbc96480} 824 "\\.\pipe\gecko-crash-server-pipe.824" tab3⤵PID:2040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3644 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 2796 -prefsLen 29249 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b8d0706-f61e-4e22-ae36-0084b9446a94} 824 "\\.\pipe\gecko-crash-server-pipe.824" tab3⤵PID:932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4780 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4776 -prefMapHandle 2536 -prefsLen 29249 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59fd9913-0170-4c7a-a1b7-7c7afaef6fcf} 824 "\\.\pipe\gecko-crash-server-pipe.824" utility3⤵
- Checks processor information in registry
PID:4880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 5344 -prefsLen 27099 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67e770ed-5b4d-403d-ae3c-027dee0afd39} 824 "\\.\pipe\gecko-crash-server-pipe.824" tab3⤵PID:2584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5520 -prefsLen 27099 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a43e9c1-4753-46dc-86f5-001a753b2f86} 824 "\\.\pipe\gecko-crash-server-pipe.824" tab3⤵PID:320
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 5 -isForBrowser -prefsHandle 5620 -prefMapHandle 5556 -prefsLen 27099 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de3fcb5b-6d73-4cfb-b4b2-afd0ad97de47} 824 "\\.\pipe\gecko-crash-server-pipe.824" tab3⤵PID:1672
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1960
-
C:\Users\Admin\Desktop\release\Release\Discord rat.exe"C:\Users\Admin\Desktop\release\Release\Discord rat.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
C:\Users\Admin\Desktop\release\builder.exe"C:\Users\Admin\Desktop\release\builder.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3628
-
C:\Users\Admin\Desktop\release\Client-built.exe"C:\Users\Admin\Desktop\release\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
C:\Users\Admin\Desktop\release\Release\Discord rat.exe"C:\Users\Admin\Desktop\release\Release\Discord rat.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xne5uxr5.default-release\activity-stream.discovery_stream.json
Filesize18KB
MD54aa721f9556caced2416e82a63e6e455
SHA12a4fed37885e464d604d7f8c7c87cf17dbeac9b4
SHA2567f6f228ba18328c681b1a6f6c22fc462f7b28f53dec65c6cf13aa3b87ae4a349
SHA512aa610ce0486bc410a43fa6697534ca7d6824a0b92e8f06e64fbd75286069a4ed062d7935ef1d8571422509890b8ddf50f3e6f88274db680216fd392bd090e1cd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5da72e976d9d1ec8ce87706628226cb91
SHA17df275d61993faeb848d3ec665935fdb77278f50
SHA25637c2c52c38ad2b0fbf93fe6d3342706e84e765e8de62f10032ac364035d12254
SHA512bf4af00e96cf82d08894c564ca7955267a2a9e759a826d7c1154f1dd6d953c8eee421bd53f4f9b825191e903f6e563b33f075ad765e18f46cc0205b0fe47a346
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD58c4ce02096d8b18d6410f681915ed940
SHA1cb3ac136bd4504d3caca38c6c5c616ca0fa55814
SHA2563c50c48b704421dda785bdf82b6ed129d8b80102b41a87aba9b153c982a37bb1
SHA512ed42b26c8851b7ec2d09107ff5f0635d07c6f40eedcd2427960fb630d4237486ca53835aca0f4c20c0147d25f97ac75bebb2a07674b058af7648cf3b540fac4a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\pending_pings\0fb90391-fdad-447a-832a-f2724dce9ab1
Filesize671B
MD51c2f6ef305d705a80ae4ae7562db57bf
SHA10bf690e941a2adf71c67b0bff2f1534359eca085
SHA25664439e3d9f46ac166de76f78028a90a684ebe3d23c879c180e6726966a49f3b3
SHA512da84c9da1546a8ca299453e3ffca5d97b5276d57b7019880fd8fd505475ae250f233832aa0b12e37081a0720f3cef4d34a275f646f739b4fb56310e576230156
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\pending_pings\395e559d-287b-4145-a9df-faec44738cc4
Filesize26KB
MD5efa62f56bcab68d47a25da226fb87b05
SHA1d94fd8acc2adada8acef8890d5b291025d78c675
SHA256bae9514a144a4c2353d29da7cb2eb92dbab96f8ead65339d58ba5313b957066a
SHA51286fb16db33d2f11839accc6ee5597ea1793de47a1cb5d8730d2a23a79cdb8efc8be0cf3434336f085ab39b344186d562143de25e73468455d835b3e1c9ddd54e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\datareporting\glean\pending_pings\80a7ec8a-c524-4396-96a3-9c4da6a81eef
Filesize982B
MD5b323d2f61e78f172e78c6758c0ebfae5
SHA15a10d2efc056b52b4852256c32edfbbb35ec41d8
SHA25626f3d21e0407dd573a12c64576b499ba6447c3793973f0acb7230aea658f04b3
SHA512970ee3e54778a128c0f37f7e311caa668c3a99bbfdafa6dab86c0cd029b36571a4ef9be0acee9cb67773926d369c6ffe02133a841060cfcc259e5e4fa0744d5c
-
Filesize
10KB
MD5201adc89ab52d09ec6e4cfae0d00cf75
SHA1a06fbc0b7d04c25eb5cdd26cf740617de8d22b59
SHA256cb2b5ace4a8580feb82b3ce4949cc8dd155c5c89412347842c83877b9d839827
SHA512122d633a095cbe7b29ed679abcdbedde76a2a6fc870b5f5c0a5eda177cf2860db0faf5477c470d5f4886917b29e91272f21fb3ff018e252dfbaedcbb17a5d3b8
-
Filesize
10KB
MD570df361914e53437ef1656c3685e0b1d
SHA144edad101780d1dffb69eb43e2c7eb0fe6798a9f
SHA2569fb65ec8ac4883d3e3d9d7129dd6ec11523bee911045e487051ac28a1f24ae67
SHA512d2998dbfba8b6c9eadd117f9f52300af5c41fe2d13cc06ab7c3e0883aa556061e63b482fcdd56af874fcfcc3053479b6c0e7615d204595a900fbee970337f6b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xne5uxr5.default-release\sessionCheckpoints.json
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
Filesize
78KB
MD59c9d5fbc4921d5de3e06c2f4b436a8c3
SHA1e6de603fca03034ea36944dfd71461c34ef78ac5
SHA2568afc271bedd8f053959804d0c617cee96be554d333e8ecb2ed6dcaf107d4ff63
SHA5128dae259a9638551a3473dfe529ee535669960cb6e426757391d5ba9b44555767ad1a880f3a813969913ba33827e319a07dba339700f3380c36b4656a4fb8e96d
-
Filesize
445KB
MD506a4fcd5eb3a39d7f50a0709de9900db
SHA150d089e915f69313a5187569cda4e6dec2d55ca7
SHA256c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
SHA51275e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b