discordrat | 2e4f582e55c0294a16bbb9edb383a4fb62776bdba6f929d7a44229759650cfa6 | Triage

Submit
Reports

Overview

overview

Static

static

Client-built.exe

windows10-ltsc_2021-x64

Resubmissions

16/04/2025, 17:42

250416-v964hstwbw 10

16/04/2025, 17:40

250416-v8tf2atwat 10

Sharing

General

Target

Client-built.exe
Size

78KB
Sample

250416-v8tf2atwat
MD5

83a9fc73ce6c86ce660bafb0dce8ff31
SHA1

ef1f21ab34d90d7d96dfccaea0f8d9148351f662
SHA256

2e4f582e55c0294a16bbb9edb383a4fb62776bdba6f929d7a44229759650cfa6
SHA512

b03981ada644526b7fafd3c2a0ba9f50ec141e6191c886a1f8449b76c4b8339ab22a96a4d65ff1065a02bff8057995cea4628339dcce87da3e4c0c1d4281b3dc
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC

Score

10^/10

discordrat defense_evasion persistence ransomware rat rootkit stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Client-built.exe

Resource

win10ltsc2021-20250410-en

discordrat defense_evasion persistence ransomware rat rootkit stealer

windows10-ltsc_2021-x64

25 signatures

900 seconds

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM1NDkyNDE2MjYxOTAxNTI2MA.GXMSQ9.HnVsf1uMWsIBIwz76DHD7Nkpv7_i9HvPXHEgH8
server_id
1351601990072795178

Targets

- Target
  
  Client-built.exe
- Size
  
  78KB
- MD5
  
  83a9fc73ce6c86ce660bafb0dce8ff31
- SHA1
  
  ef1f21ab34d90d7d96dfccaea0f8d9148351f662
- SHA256
  
  2e4f582e55c0294a16bbb9edb383a4fb62776bdba6f929d7a44229759650cfa6
- SHA512
  
  b03981ada644526b7fafd3c2a0ba9f50ec141e6191c886a1f8449b76c4b8339ab22a96a4d65ff1065a02bff8057995cea4628339dcce87da3e4c0c1d4281b3dc
- SSDEEP
  
  1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC
Score

10^/10

discordrat defense_evasion persistence ransomware rat rootkit stealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

discordratdefense_evasionpersistenceransomwareratrootkitstealer

© 2018-2025

Terms | Privacy