discordrat | f6022caf3cccb74e26a03da0d8422cf3dab58e91219cf1d658c473f916488d98

Analysis

max time kernel
18s
max time network
42s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-01-2025 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tha Bronx Script.exe
Size

527KB
MD5

2732d0596aff1192a6c73f8201c034d4
SHA1

b93d7eace4ef1548717a23d198b6b3d4f00c579d
SHA256

f6022caf3cccb74e26a03da0d8422cf3dab58e91219cf1d658c473f916488d98
SHA512

c384b1d49411da85fd89fe8813a91ab2311c42bd68eff16798811b4a146c414c4c6812ba9fa7577e9fc4147f0a6b48e3cca9e0132e14a5bc129206ac1483cbf9
SSDEEP

12288:ZyveQB/fTHIGaPkKEYzURNAwbAg8Co9YKBDNR7i+x:ZuDXTIGaPhEYzUzA0qTmKBDNQa

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyNDk1MzA2NjYyOTIzODg0NQ.G7-fPX.WkDR_5L1cbK6jYMAnyjZzLN5gM0mwbXfQwVk-A
server_id
1324953380535402518

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2952	baby.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	discord.com
3	discord.com
6	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	baby.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2952	2248	Tha Bronx Script.exe	77
PID 2248 wrote to memory of 2952	2248	Tha Bronx Script.exe	77

C:\Users\Admin\AppData\Local\Temp\Tha Bronx Script.exe
"C:\Users\Admin\AppData\Local\Temp\Tha Bronx Script.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\baby.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\baby.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\baby.exe

Filesize
78KB

MD5
45c62d50762e3434574d2f5684f45819

SHA1
57145497eb8533b0198f16b80546983c44ec16b7

SHA256
1933da62ce9955575d147e8af47bbe6253c11d6df05873c895a1c0a257a4f1ad

SHA512
8441fc56aeae3163d68ca6ee58658399c30543d38f47efcbaeef0a6cdefb5ff0f30cd0bdf10b1fcb2f8fedb4e19ea8855470a2ce73524c35f045ee36bdbb0872

Download Submit
memory/2952-14-0x00007FFC29E93000-0x00007FFC29E95000-memory.dmp

Filesize
8KB

Download
memory/2952-15-0x000001E1414F0000-0x000001E141508000-memory.dmp

Filesize
96KB

Download
memory/2952-16-0x000001E15BB10000-0x000001E15BCD2000-memory.dmp

Filesize
1.8MB

Download
memory/2952-17-0x00007FFC29E90000-0x00007FFC2A952000-memory.dmp

Filesize
10.8MB

Download
memory/2952-18-0x000001E15D0E0000-0x000001E15D608000-memory.dmp

Filesize
5.2MB

Download
memory/2952-19-0x00007FFC29E93000-0x00007FFC29E95000-memory.dmp

Filesize
8KB

Download
memory/2952-20-0x00007FFC29E90000-0x00007FFC2A952000-memory.dmp

Filesize
10.8MB

Download