discordrat | 9703da72a1327e34d5c607746a69f0be96813ca34479ee08cada4ac2bb7ea367

Analysis

max time kernel
27s
max time network
39s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-12-2024 18:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

cookie gr4bber.exe
Size

78KB
MD5

0747b9a3dd24706bda9830106608cd6a
SHA1

505d31f334ef718487765eb51625665a16b55d62
SHA256

9703da72a1327e34d5c607746a69f0be96813ca34479ee08cada4ac2bb7ea367
SHA512

8a1d42e27d3a7dd058604d0f4a1642840132ae97408acd4374518dedc61fc0a2f189964ac5c6665d72a62236c8f5a2da37a8a63c479776a2bc44619b1ce8d4e2
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMjkyMTM0NzEwNTU1NDQ3NA.G7_d7r.iHTBAwbhT0TxJl-tFfpdojbnLGiugDpc-w0oXs
server_id
1322920245907820584

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
35	discord.com
36	discord.com
37	discord.com
38	discord.com
12	discord.com
13	discord.com
22	discord.com
32	discord.com
30	raw.githubusercontent.com
31	raw.githubusercontent.com
34	discord.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	cookie gr4bber.exe
Token: SeShutdownPrivilege	5040	cookie gr4bber.exe

C:\Users\Admin\AppData\Local\Temp\cookie gr4bber.exe
"C:\Users\Admin\AppData\Local\Temp\cookie gr4bber.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5040-1-0x0000028BD2930000-0x0000028BD2948000-memory.dmp

Filesize
96KB

Download
memory/5040-0-0x00007FFDB7AC3000-0x00007FFDB7AC5000-memory.dmp

Filesize
8KB

Download
memory/5040-2-0x0000028BED020000-0x0000028BED1E2000-memory.dmp

Filesize
1.8MB

Download
memory/5040-3-0x00007FFDB7AC0000-0x00007FFDB8582000-memory.dmp

Filesize
10.8MB

Download
memory/5040-4-0x0000028BED860000-0x0000028BEDD88000-memory.dmp

Filesize
5.2MB

Download
memory/5040-5-0x00007FFDB7AC3000-0x00007FFDB7AC5000-memory.dmp

Filesize
8KB

Download
memory/5040-6-0x00007FFDB7AC0000-0x00007FFDB8582000-memory.dmp

Filesize
10.8MB

Download
memory/5040-7-0x0000028BED330000-0x0000028BED5FA000-memory.dmp

Filesize
2.8MB

Download