Overview

overview

10

Static

static

10

Client-built.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Client-built.exe

  • Size

    78KB

  • Sample

    250110-wb3twatmbm

  • MD5

    4a3ad9a17023d32b70d14c88747b0302

  • SHA1

    a24fdb9e259d5db66a00aa392aea4b146a697787

  • SHA256

    45e83d1277abd0a69f5a33f0cc20c51f804bbd26e9a0686117247ad4f27ed81a

  • SHA512

    ee86349f849c0edf7a1c1080f71e12e8c659c6cffec168a3e6da5eaf52f9ecac69d0b2b7c01d69e282d6f44ad890cf60f080fd11b425fb93a74e0b7218d6070b

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+iPIC:5Zv5PDwbjNrmAE+OIC

Score
10/10
discordratdiscoverypersistenceprivilege_escalationratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMyNzMxODAyNTIyMDkxNTIyMA.Gbhmly.2VnF8G_nnJt-kiY3NLK0toQR92qky0l7vAaT4Y

  • server_id

    1327319098295582744

Targets

    • Target

      Client-built.exe

    • Size

      78KB

    • MD5

      4a3ad9a17023d32b70d14c88747b0302

    • SHA1

      a24fdb9e259d5db66a00aa392aea4b146a697787

    • SHA256

      45e83d1277abd0a69f5a33f0cc20c51f804bbd26e9a0686117247ad4f27ed81a

    • SHA512

      ee86349f849c0edf7a1c1080f71e12e8c659c6cffec168a3e6da5eaf52f9ecac69d0b2b7c01d69e282d6f44ad890cf60f080fd11b425fb93a74e0b7218d6070b

    • SSDEEP

      1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+iPIC:5Zv5PDwbjNrmAE+OIC

    Score
    10/10
    discordratdiscoverypersistenceprivilege_escalationratrootkitstealer

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Discordrat family

      discordrat

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks