discordrat | 2ecbb7bc7319ecdcb2d9d4bbf38deabd2a3a93999e02f595d9413bb4b9767171

Sharing

Copy URL

Twitter E-mail

General

Target

virus.rar
Size

16.1MB
Sample

250101-fd5s9avpby
MD5

1f1227c4f5adbd1bbd0da542d65cb9bd
SHA1

391ec5b53a1010dbddbef355fb3908f9f397e644
SHA256

2ecbb7bc7319ecdcb2d9d4bbf38deabd2a3a93999e02f595d9413bb4b9767171
SHA512

44ded61a2fd0ca3c3b053fe494c2814e9040ee764ab9787339f8d24950ddeb47323d3b9dfe51d3732b79fe9279de950b8059f0cb020d94898442c043e45da945
SSDEEP

393216:jUWz9Iz3I9sGLyR5No1JOPww0rZ0jJ7ksBQwdr381J+TEhVDtaxpr5:84ZmnmwwwjzQwdHjH9

Score

10^/10

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMzg2NTkxNDI4NjAxODY2NQ.GWEzhT.LfNT1TRxrNi0wH4g7-xuQFdnyioFM2jNkyqNMk
server_id
1323845201596387451

Targets

- Target
  
  virus/Virus.exe
- Size
  
  431KB
- MD5
  
  59830c5bd23ee9a6731ab53357bae10c
- SHA1
  
  686d8930f5fd18a9b94a196fab728995d4f0a23c
- SHA256
  
  562da82431e0531463bd5ae23c4f52a74f8c279a3f172ea803b589f4259a904d
- SHA512
  
  63be6b7ff9486438e7a8e51ce7154a7d44ba51d324818a571fe06f5c8c1375129afe9851051148f466e00e704c1a950dc1a60a94c3506fb5caf98a44f0aa94ef
- SSDEEP
  
  6144:pc9yzJpeQF2ZcbTzHznY8XHyldgaPGr++7+EK/zJDi3RC4AQNMIoYrmLUMn5k:4yveQB/fTHIGaPkKEYzURNAwbAgMn5k
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2
- Target
  
  virus/resources/Discord.exe
- Size
  
  78KB
- MD5
  
  4a65257ccc7cc5c6440dcefe5ad4523f
- SHA1
  
  0ee7ba38ed1f16cf4aaea11edb64e8275d674c10
- SHA256
  
  e82cec44f57277f6172f89f7107b46754e5d0f3aed3ce61c8dac13b258218dcf
- SHA512
  
  23839a073fcd6872edd105c7f8a8baca7dfa7c25f6f8c4e3e0c3f9da37862493c80825a5582c338d89fc08e35bc1fe9941b49cb7731b24f607e0fb06504b7449
- SSDEEP
  
  1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+ZPIC:5Zv5PDwbjNrmAE+pIC
Score

10^/10

discordrat persistence rat rootkit stealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
behavioral3 behavioral4
- Target
  
  virus/resources/Gen.exe
- Size
  
  37.3MB
- MD5
  
  d42259a00c855fd74a801ba985c8c461
- SHA1
  
  cd197e5db4eda2d7fc2e5836ac6e2d783bf2d95c
- SHA256
  
  ef03f85be4432bf02d4f2c51d06ad58fd0c3cbb6d56aa21219f922ac985da564
- SHA512
  
  6f2d47ac0043abd9a44795ca8a195cfafa2ac274afb7bd4daf4dfaf30fd612a5c971fd5e409d89315319920efaedd723dbfc2d091aac57c2f99509947f3d171a
- SSDEEP
  
  393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgH96l+ZArYsFRlUPb:R3on1HvSzxAMNHFZArYscPvzP7OZu
Score

10^/10

discovery evasion execution persistence spyware stealer trojan
- UAC bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
behavioral5 behavioral6
- Target
  
  virus/resources/nitro.py
- Size
  
  344B
- MD5
  
  c8da61d14ba6f678299a245425342120
- SHA1
  
  02c2eac1ac13a41e9e228ed208699e18ed78df65
- SHA256
  
  c20d3ef3f674052b2782d3db3e6173bdb2d962f769dca3243f18bd4db6d01096
- SHA512
  
  359ccf0702403394dabc6d5c5b5c18293ff32bac4bab8572dbab824b68ef3ba8be89c392f3c2ab522d1b53b648e911733c9e77951bc282dfa3037576b940869c
Score

3^/10

discovery
behavioral7 behavioral8