discordrat | 4c56e50351c382dc82173c238228540ee12ecd399a8aab16d9bc49bfa4031e12

Analysis

max time kernel
71s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 19:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

toystorylogo-4k.exe
Size

524KB
MD5

34ae0745931735f6af04adce8c1358d4
SHA1

825aabac462d7cdf80cd864a37e52175b2b78c0c
SHA256

4c56e50351c382dc82173c238228540ee12ecd399a8aab16d9bc49bfa4031e12
SHA512

5dc2f74cd7baad445650c57332a4c46462323635b40360915bc07dabfa69d9a4419528c4e4fd73efae59e68aa9220083ce5cbbcaa06c742eafc47f7350acdc43
SSDEEP

12288:3yveQB/fTHIGaPkKEYzURNAwbAg8j03rxuLrW:3uDXTIGaPhEYzUzA0qI3NuLrW

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzNjA0MTEzNzYxNzc2NDUxNQ.GWUfuA.NHNO6tvAPM86NN4d9WM8wruyH3mk45GH-m19GM
server_id
1336040095018520668

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
47	3964	xdbackdoor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	toystorylogo-4k.exe

Executes dropped EXE 1 IoCs

pid	Process
3964	xdbackdoor.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com
32	discord.com
46	raw.githubusercontent.com
48	discord.com
28	discord.com
31	discord.com
47	raw.githubusercontent.com
49	discord.com
51	discord.com
52	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3964	xdbackdoor.exe
Token: SeShutdownPrivilege	3964	xdbackdoor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
652	toystorylogo-4k.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 3964	652	toystorylogo-4k.exe	87
PID 652 wrote to memory of 3964	652	toystorylogo-4k.exe	87

C:\Users\Admin\AppData\Local\Temp\toystorylogo-4k.exe
"C:\Users\Admin\AppData\Local\Temp\toystorylogo-4k.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xdbackdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xdbackdoor.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xdbackdoor.exe

Filesize
78KB

MD5
2b0bb0b81b221965408bc75caf13f1e6

SHA1
3bf4b6917c1c6e943613507c8a15f2c0a504dd85

SHA256
5cdcda478e5966aecc8b166f7899cc82e423ec3ff5af27061d1814b2cbe6c23e

SHA512
2796ad2d3d5299df540684cc6b6c250915c5d7960e0015c506eac950c44cd6e0ebe8c1eef5f50badaa387f7f811c4ffb4179f19a6520ef2933becfd4480bf58a

Download Submit
memory/3964-14-0x00007FF851EF3000-0x00007FF851EF5000-memory.dmp

Filesize
8KB

Download
memory/3964-15-0x0000024D76160000-0x0000024D76178000-memory.dmp

Filesize
96KB

Download
memory/3964-16-0x0000024D78820000-0x0000024D789E2000-memory.dmp

Filesize
1.8MB

Download
memory/3964-17-0x00007FF851EF0000-0x00007FF8529B1000-memory.dmp

Filesize
10.8MB

Download
memory/3964-18-0x0000024D79020000-0x0000024D79548000-memory.dmp

Filesize
5.2MB

Download
memory/3964-19-0x00007FF851EF3000-0x00007FF851EF5000-memory.dmp

Filesize
8KB

Download
memory/3964-20-0x00007FF851EF0000-0x00007FF8529B1000-memory.dmp

Filesize
10.8MB

Download
memory/3964-21-0x0000024D78790000-0x0000024D78806000-memory.dmp

Filesize
472KB

Download
memory/3964-22-0x0000024D77DD0000-0x0000024D77DE2000-memory.dmp

Filesize
72KB

Download
memory/3964-23-0x0000024D77E00000-0x0000024D77E1E000-memory.dmp

Filesize
120KB

Download