discordrat | 3f45c42ab3a574473116d521a14a11a90b8ace39a29c50198f09d752dd0a0e65

Analysis

max time kernel
44s
max time network
46s
platform
windows11-21h2_x64
resource
win11-20250410-it
resource tags

arch:x64arch:x86image:win11-20250410-itlocale:it-itos:windows11-21h2-x64systemwindows
submitted
17/04/2025, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ascoli_calcio.jpg.exe
Size

964KB
MD5

22c4ee1d05a5dd535701997246118c46
SHA1

96b81a7618eac49f88ab3344df7110c9fae01a9f
SHA256

3f45c42ab3a574473116d521a14a11a90b8ace39a29c50198f09d752dd0a0e65
SHA512

bc87c9b7be3706e537dc2dcf959ed684d72d2597425712fb28cf45c81fb01913c8dc4b88546479a84b8dae3ae97fcfb76c72cf287fa7042dfae77ade9d8a80ef
SSDEEP

24576:muDXTIGaPhEYzUzA0FfRd7gRo+Er86CcVXB/G:JDjlabwz9Ff/7Yo+EAgG

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM2MTY4MTkxMTk5ODcxNDAwNw.Gdu-jE.evuMbDLIsj01QSbsAvfXEJHfZL2_NIuT9AmzYI
server_id
1358508313515655268

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
3540	ciao.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	discord.com
6	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	ciao.exe
Token: SeShutdownPrivilege	3540	ciao.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5580 wrote to memory of 3540	5580	ascoli_calcio.jpg.exe	78
PID 5580 wrote to memory of 3540	5580	ascoli_calcio.jpg.exe	78

C:\Users\Admin\AppData\Local\Temp\ascoli_calcio.jpg.exe
"C:\Users\Admin\AppData\Local\Temp\ascoli_calcio.jpg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5580
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ciao.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ciao.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3540

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ciao.exe

Filesize
78KB

MD5
2f744eb27191ed15d567c4edfb7e4ff2

SHA1
d3a519fd43c334060396ef59c5629a360ec11471

SHA256
6e4754a0eca819acb4dd584fd51f689c14f27a8206f83bfef8f71f09d1e2cc85

SHA512
175bdd68239c6abdd2f836b4cf8bb7b871c6ca422f7a9797cbaef58031f57a80125ee4f53f02abc628387036ed5b92ab71309b8d17fe4709575fdfef653f0de7

Download Submit
memory/3540-14-0x00007FF813763000-0x00007FF813765000-memory.dmp

Filesize
8KB

Download
memory/3540-15-0x000001AC637F0000-0x000001AC63808000-memory.dmp

Filesize
96KB

Download
memory/3540-16-0x000001AC7DDF0000-0x000001AC7DFB2000-memory.dmp

Filesize
1.8MB

Download
memory/3540-17-0x000001AC7DC20000-0x000001AC7DC60000-memory.dmp

Filesize
256KB

Download
memory/3540-18-0x00007FF813760000-0x00007FF814222000-memory.dmp

Filesize
10.8MB

Download
memory/3540-19-0x000001AC7F0E0000-0x000001AC7F608000-memory.dmp

Filesize
5.2MB

Download
memory/3540-20-0x000001AC7ECE0000-0x000001AC7EDE2000-memory.dmp

Filesize
1.0MB

Download
memory/3540-21-0x00007FF813763000-0x00007FF813765000-memory.dmp

Filesize
8KB

Download
memory/3540-22-0x00007FF813760000-0x00007FF814222000-memory.dmp

Filesize
10.8MB

Download