discordrat | 12fd2323d808e2dfb7228784ee7bf0505ffa4499fa927e8651d069b4942ec2fd

Analysis

max time kernel
57s
max time network
58s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-02-2025 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe.zip
Size

28KB
MD5

024d4589cfb261d7ab31afe46e1a03e9
SHA1

ee25af1ead2e7dbd0224daaad298d6d0c49edcb9
SHA256

12fd2323d808e2dfb7228784ee7bf0505ffa4499fa927e8651d069b4942ec2fd
SHA512

5b08114b44c435f546238a7e6bd8d10229a0ec68b7d7e1ba96ebc5d451f5705bded745b769887f13586aa240d7962a62dbcf134161bc097aee5f43b9d7c22501
SSDEEP

768:6SZ2SiEavomVrQFxhXeApcubYuT/Kg8Yj89+H+Nddkj+Z:NYxEavF0F/uApcubYcKf9+H+Fkj6

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM0MDM1NDQ1Nzg4NzgzNDE3Mg.GHP40n.qgKs_aAJ6GfrjhyOwfOiR0SkXc_4RQULhFiNjU
server_id
1340349846682603622

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
868	Client-built.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zG.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	1984	7zG.exe
Token: 35	1984	7zG.exe
Token: SeSecurityPrivilege	1984	7zG.exe
Token: SeSecurityPrivilege	1984	7zG.exe
Token: SeDebugPrivilege	868	Client-built.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1984	7zG.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Client-built.exe.zip
1⤵
PID:2232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1568

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Client-built.exe\" -ad -an -ai#7zMap26236:112:7zEvent5356
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1984

C:\Users\Admin\Desktop\Client-built.exe\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Client-built.exe\Client-built.exe

Filesize
78KB

MD5
7d46fb5bea8ab51919f0bf0ebf3eda7f

SHA1
681bd820d40108123ab676207edf44dcf12eb357

SHA256
4762dbecb4b974a0f3f2c6a6a1b72394ec90b1054f5c970c328c6c7aeb8d5868

SHA512
fccf194f7b1a522eaa384c0d64af6977b31fa1f22d987a153ef057107ae1561743bc589eb5a54c442fe9a711183cd3e4edac79c554e4509c25fea9be16fb99ce

Download Submit
memory/868-4-0x000002930C530000-0x000002930C548000-memory.dmp

Filesize
96KB

Download
memory/868-5-0x0000029326B30000-0x0000029326CF2000-memory.dmp

Filesize
1.8MB

Download
memory/868-6-0x0000029327370000-0x0000029327898000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads