discordrat | 0a43753bf997769e9a15a160dac3712970dca5bf2f1ccbc01454583651f8e2ed

Analysis

max time kernel
41s
max time network
43s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-01-2025 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ft.exe
Size

78KB
MD5

f91ccf4508c5b38c655dfbbee715a8a4
SHA1

b1bd3d4700019d99bd74b00c8fe3e7fe62c00a9b
SHA256

ab9903424f54db2436f93dea75b3da47008d68978d5209b5483db24d2b6351da
SHA512

d69c647eda894669cc926d1279de76258dff54f578279cd1ef0c520e920e534ccf8843f5ab5b8feaae8cfdd2952906c09ac82c5fb8c62c3746a0d1633465e761
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+dPIC:5Zv5PDwbjNrmAE+NIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE2OTcxNTQ5MDk0MDI2NDYwOQ.GT9jXS.u1NUz6EhjEOGBwHNrMPtou3JF7iKZ6qZDdwdg0
server_id
1328732385663258774

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
1	discord.com
3	discord.com
5	discord.com
6	discord.com
7	discord.com

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	ft.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5108	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\ft.exe
"C:\Users\Admin\AppData\Local\Temp\ft.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d6d3499e5dfe058db4af5745e6885661

SHA1
ef47b148302484d5ab98320962d62565f88fcc18

SHA256
7ec1b67f891fb646b49853d91170fafc67ff2918befd877dcc8515212be560f6

SHA512
ad1646c13f98e6915e51bfba9207b81f6d1d174a1437f9c1e1c935b7676451ff73a694323ff61fa72ec87b7824ce9380423533599e30d889b689e2e13887045f

Download Submit
memory/1552-0-0x00007FFF84F13000-0x00007FFF84F15000-memory.dmp

Filesize
8KB

Download
memory/1552-1-0x000001CC92760000-0x000001CC92778000-memory.dmp

Filesize
96KB

Download
memory/1552-2-0x000001CCACEA0000-0x000001CCAD062000-memory.dmp

Filesize
1.8MB

Download
memory/1552-3-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download
memory/1552-4-0x000001CCAE370000-0x000001CCAE898000-memory.dmp

Filesize
5.2MB

Download
memory/1552-5-0x00007FFF84F13000-0x00007FFF84F15000-memory.dmp

Filesize
8KB

Download
memory/1552-6-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

Filesize
10.8MB

Download