discordrat | 9a9fb79ac587e9807b2f372466b1103dc5fa1175ca699ad6f37673019718a098

Analysis

max time kernel
120s
max time network
122s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2025 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ANIMALZOOLT.exe
Size

78KB
MD5

3a85b8f985bf46b1b493af6aa4f0cc10
SHA1

08a3654656466514de4cd021c10fe532357272dc
SHA256

9a9fb79ac587e9807b2f372466b1103dc5fa1175ca699ad6f37673019718a098
SHA512

dbf073e03f0fa32b9af96861be3b506330d79f0b6c613df70d8f305b0b5b6df393a173db4642d2af149c252498e3637f11bf4ce5af2964d993ff3fd19b8d51fb
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+CPIC:5Zv5PDwbjNrmAE+uIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMTYyMDY4OTcxOTA3MDgwMg.GG85OF.nbjHiF6K5pg7LpEjKhKGplOwIF5fX9f10pp86o
server_id
1331639844618899536

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	ANIMALZOOLT.exe
Token: SeDebugPrivilege	3320	ANIMALZOOLT.exe
Token: SeDebugPrivilege	2420	ANIMALZOOLT.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1584	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\ANIMALZOOLT.exe
"C:\Users\Admin\AppData\Local\Temp\ANIMALZOOLT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1280

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\ANIMALZOOLT.exe
"C:\Users\Admin\AppData\Local\Temp\ANIMALZOOLT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Users\Admin\AppData\Local\Temp\ANIMALZOOLT.exe
"C:\Users\Admin\AppData\Local\Temp\ANIMALZOOLT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7ec95e37-4895-4325-b43f-cdb48f3c06ff.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
96329c73cc49cd960e2485210d01c4d2

SHA1
a496b98ad2f2bbf26687b5b7794a26aa4470148e

SHA256
4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466

SHA512
e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf

Download Submit
memory/4788-0-0x00007FFBE15F3000-0x00007FFBE15F5000-memory.dmp

Filesize
8KB

Download
memory/4788-1-0x0000018E4A9B0000-0x0000018E4A9C8000-memory.dmp

Filesize
96KB

Download
memory/4788-2-0x0000018E65030000-0x0000018E651F2000-memory.dmp

Filesize
1.8MB

Download
memory/4788-3-0x00007FFBE15F0000-0x00007FFBE20B2000-memory.dmp

Filesize
10.8MB

Download
memory/4788-4-0x0000018E663A0000-0x0000018E668C8000-memory.dmp

Filesize
5.2MB

Download
memory/4788-5-0x00007FFBE15F3000-0x00007FFBE15F5000-memory.dmp

Filesize
8KB

Download
memory/4788-6-0x00007FFBE15F0000-0x00007FFBE20B2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads