discordrat | 1e901dc90a224a0cfd02385fad0c4d8fbca7470618252b959692cfcf3f4591d7

Analysis

max time kernel
15s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

openme.exe
Size

78KB
MD5

996fcd8dea911767b0d31cefea3399ec
SHA1

eae584befb2ee007f926687f998055f5f440df0e
SHA256

1e901dc90a224a0cfd02385fad0c4d8fbca7470618252b959692cfcf3f4591d7
SHA512

8c13e7ca10d8522ac64da1da3b9fe2f741446ab0921f6847e660833ce461aeef8ba7611e31b0d0da8ec36da18d89f2953d404646df43b37419cb11fd35905ee8
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V++HPIC:5Zv5PDwbjNrmAE++vIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMDE5ODMxMTk5ODcyMjE4OA.G0sEX0.-DReZLhuwLLB8hT7ecsfhS4Y_q7JSZcVnu-4k0
server_id
1330084590068695112

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3668	powershell.exe
3668	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	openme.exe
Token: SeDebugPrivilege	3668	powershell.exe

C:\Users\Admin\AppData\Local\Temp\openme.exe
"C:\Users\Admin\AppData\Local\Temp\openme.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l0xve13k.nte.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3668-19-0x00007FFFD6ED0000-0x00007FFFD7991000-memory.dmp

Filesize
10.8MB

Download
memory/3668-13-0x000002B77B380000-0x000002B77B3A2000-memory.dmp

Filesize
136KB

Download
memory/3668-20-0x00007FFFD6ED0000-0x00007FFFD7991000-memory.dmp

Filesize
10.8MB

Download
memory/3668-21-0x000002B77B870000-0x000002B77B8B4000-memory.dmp

Filesize
272KB

Download
memory/3668-22-0x00007FFFD6ED0000-0x00007FFFD7991000-memory.dmp

Filesize
10.8MB

Download
memory/3668-23-0x000002B77B940000-0x000002B77B9B6000-memory.dmp

Filesize
472KB

Download
memory/4828-2-0x000002823C3B0000-0x000002823C572000-memory.dmp

Filesize
1.8MB

Download
memory/4828-3-0x00007FFFD6ED0000-0x00007FFFD7991000-memory.dmp

Filesize
10.8MB

Download
memory/4828-4-0x000002823CBB0000-0x000002823D0D8000-memory.dmp

Filesize
5.2MB

Download
memory/4828-7-0x00007FFFD6ED3000-0x00007FFFD6ED5000-memory.dmp

Filesize
8KB

Download
memory/4828-1-0x0000028221D40000-0x0000028221D58000-memory.dmp

Filesize
96KB

Download
memory/4828-14-0x00007FFFD6ED0000-0x00007FFFD7991000-memory.dmp

Filesize
10.8MB

Download
memory/4828-0-0x00007FFFD6ED3000-0x00007FFFD6ED5000-memory.dmp

Filesize
8KB

Download