discordrat | 22ec463efcdbe25769d052b8c7efbc906308b4cb0c9b4a050e9f87d9d3c9603f | Triage

Sharing

General

Target

sonic‮gpj.exe
Size

517KB
Sample

250106-fdzx1awpdz
MD5

61fbc144acd42d18cbfc6120d4ca62d8
SHA1

ec8c85882a46b554abf6bc7772c0ef6725d6cc4f
SHA256

22ec463efcdbe25769d052b8c7efbc906308b4cb0c9b4a050e9f87d9d3c9603f
SHA512

5c327ede9b0536fe9bc3ca3da93533cc6ae2db51286daa66b75c05042593911c104a4a3a0525080a6be35b1fe224bb0f67ca79fdc82167b1a93c30d7c88c1692
SSDEEP

12288:2CQjgAtAHM+vetZxF5EWry8AJGy0y+qy8qyBqImFFQ:25ZWs+OZVEWry8AFBdy8jq5XQ

Score

10^/10

discordrat persistence ransomware rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE3MDQzNjc1NDU1NDI0NTE4MA.GrJnns.JzVbnDDcfKhzDhFYb8KVjb0LIZJvOQ-Q9G9LCQ
server_id
1298154591732629564

Targets

- Target
  
  sonic‮gpj.exe
- Size
  
  517KB
- MD5
  
  61fbc144acd42d18cbfc6120d4ca62d8
- SHA1
  
  ec8c85882a46b554abf6bc7772c0ef6725d6cc4f
- SHA256
  
  22ec463efcdbe25769d052b8c7efbc906308b4cb0c9b4a050e9f87d9d3c9603f
- SHA512
  
  5c327ede9b0536fe9bc3ca3da93533cc6ae2db51286daa66b75c05042593911c104a4a3a0525080a6be35b1fe224bb0f67ca79fdc82167b1a93c30d7c88c1692
- SSDEEP
  
  12288:2CQjgAtAHM+vetZxF5EWry8AJGy0y+qy8qyBqImFFQ:25ZWs+OZVEWry8AFBdy8jq5XQ
Score

10^/10

discordrat persistence rat rootkit stealer ransomware spyware
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

discordratpersistenceratrootkitstealer

behavioral2

discordratpersistenceransomwareratrootkitspywarestealer