discordrat | 27a1137b8d934f10c2166261ddf2b424e4803102809c446d36767d581b533a96 | Triage

Resubmissions

26-01-2025 09:00

250126-kytzpsynbm 10

26-01-2025 08:54

250126-kvck9aymej 10

Sharing

General

Target

mtree‮gpj.exe
Size

1.3MB
Sample

250126-kvck9aymej
MD5

b8b0baac29daa1eff8ecb046fe91f104
SHA1

c6ece29c90cb57bca393139e44d70b029bc1f677
SHA256

27a1137b8d934f10c2166261ddf2b424e4803102809c446d36767d581b533a96
SHA512

5501afad683faeb9e174487caf6f5280aab51050b366334c56539ef7977248c7bb05c8b48c9f5e6198ac728703921dbb29f9bf17e37162410a64caf1e662b3c0
SSDEEP

24576:ZuDXTIGaPhEYzUzA0qBc+ZKhmVbC9eabpmkmZ3IaezdKcMYwFL+bGljFIh0aTOS7:8Djlabwz9AjABbpmHmapcMYJo0TOI

Score

10^/10

discordrat defense_evasion discovery persistence privilege_escalation ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMjk5NDEwMjkwMzU3MDU0Mw.GjHo9c.uUUeJljLrRcuIvW_FlFF0o4Eh6h5i-SEDWYry8
server_id
1332539766268231760

Targets

- Target
  
  mtree‮gpj.exe
- Size
  
  1.3MB
- MD5
  
  b8b0baac29daa1eff8ecb046fe91f104
- SHA1
  
  c6ece29c90cb57bca393139e44d70b029bc1f677
- SHA256
  
  27a1137b8d934f10c2166261ddf2b424e4803102809c446d36767d581b533a96
- SHA512
  
  5501afad683faeb9e174487caf6f5280aab51050b366334c56539ef7977248c7bb05c8b48c9f5e6198ac728703921dbb29f9bf17e37162410a64caf1e662b3c0
- SSDEEP
  
  24576:ZuDXTIGaPhEYzUzA0qBc+ZKhmVbC9eabpmkmZ3IaezdKcMYwFL+bGljFIh0aTOS7:8Djlabwz9AjABbpmHmapcMYJo0TOI
Score

10^/10

discordrat persistence rat rootkit stealer defense_evasion discovery privilege_escalation ransomware
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Abuse Elevation Control Mechanism: Bypass User Account Control
  UAC Bypass Attempt via SilentCleanup Task.
  defense_evasion privilege_escalation
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

discordratpersistenceratrootkitstealer

behavioral2

discordratdefense_evasiondiscoverypersistenceprivilege_escalationransomwareratrootkitstealer