discordrat | 445e8e980c9ed096e55898149a625d436686b24d870c0ed08ae81b97ed4d5866 | Triage

Resubmissions

16/04/2025, 23:26

250416-3e3rls1mz3 10

16/04/2025, 20:05

250416-ytzw2syp17 10

Sharing

General

Target

frie‮gpj.exe
Size

521KB
Sample

250416-ytzw2syp17
MD5

fa686ae2f0713ae1b02296047ebcc87d
SHA1

c07002d6a973789c28091495fc36e7ce1f2db93d
SHA256

445e8e980c9ed096e55898149a625d436686b24d870c0ed08ae81b97ed4d5866
SHA512

1ccb1877fe52a399a1dc4c2ac1de8c3f56772b13cd0bec053558fc90334bd291894b49f57120f0f9388431498df91be082ae5ac7bc18db3b5abc367d521f3f51
SSDEEP

12288:ZyveQB/fTHIGaPkKEYzURNAwbAg8XIAVVsaz1J/CS:ZuDXTIGaPhEYzUzA0qpdzHaS

Score

10^/10

discordrat defense_evasion discovery execution persistence privilege_escalation ransomware rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM2MTg0MjQwNDY2Mjk2ODQ0Mg.GbO_ZS.7BypD_7qCEnOjM1Bcz1ic7kfHpyO7HfeBvYCVY
server_id
1361842784121782312

Targets

- Target
  
  frie‮gpj.exe
- Size
  
  521KB
- MD5
  
  fa686ae2f0713ae1b02296047ebcc87d
- SHA1
  
  c07002d6a973789c28091495fc36e7ce1f2db93d
- SHA256
  
  445e8e980c9ed096e55898149a625d436686b24d870c0ed08ae81b97ed4d5866
- SHA512
  
  1ccb1877fe52a399a1dc4c2ac1de8c3f56772b13cd0bec053558fc90334bd291894b49f57120f0f9388431498df91be082ae5ac7bc18db3b5abc367d521f3f51
- SSDEEP
  
  12288:ZyveQB/fTHIGaPkKEYzURNAwbAg8XIAVVsaz1J/CS:ZuDXTIGaPhEYzUzA0qpdzHaS
Score

10^/10

discordrat defense_evasion discovery execution persistence privilege_escalation ransomware rat rootkit stealer
- Discord RAT
  A RAT written in C# using Discord as a C2.
  stealer rootkit rat persistence discordrat
- Discordrat family
  discordrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

discordratdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationransomwareratrootkitstealer

behavioral2

discordratpersistenceratrootkitstealer