Extracted

• • Target

    Kernel Mode.exe

  • Size

    78KB

  • MD5

    6119c2fd88393d762b0bfa24620b91d4

  • SHA1

    ccd132085d4756f88e7d554c671cd7ba01e38887

  • SHA256

    b62a2bcbfce49c39063720542621a36001bcacfd137ba8366b825020de82120d

  • SHA512

    a6a43cb61c18414a49fca46ed39df7c1595632753ce36a54fe9b1f9311c641a2b5af096c5add40d6ae79070760b7f9314ff8796bf1475246c7db6dfb94ddcc77

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+iPIC:5Zv5PDwbjNrmAE+OIC

  Score

  10^/10

  discordratdefense_evasiondiscoverypersistenceprivilege_escalationransomwareratrootkitspywarestealer

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat

  • Discordrat family

    discordrat

  • Modifies visibility of file extensions in Explorer

    defense_evasion

  • Modifies visiblity of hidden/system files in Explorer

    defense_evasion

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Disables Task Manager via registry modification

    defense_evasion

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Abuse Elevation Control Mechanism: Bypass User Account Control

    UAC Bypass Attempt via SilentCleanup Task.

    defense_evasionprivilege_escalation

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of SetThreadContext

  behavioral1behavioral2