Extracted

• • Target

    CARBOT BOT 2.0.exe

  • Size

    78KB

  • MD5

    d5d379d82e48b20012571e109afdcabc

  • SHA1

    81814e7e9624c129ada04f564161e34bfca79ed0

  • SHA256

    0415f51718785e94b0a46e07726ff0365edd39346b7dec102fcc18066c1e960f

  • SHA512

    df3cf445bf4a60021ed10aea72d8ae65ab80504838604c454a28abebe97793139a724da3f38eb1d766592e1940de11c9906c8db258a7231d8287d201e762b7c3

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+bPIC:5Zv5PDwbjNrmAE+TIC

  Score

  10^/10

  discordratadwaredefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratrootkitstealer

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat

  • Discordrat family

    discordrat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Disables Task Manager via registry modification

    defense_evasion

  • Downloads MZ/PE file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1