General

  • Target

    CrackMethod.exe

  • Size

    10.3MB

  • Sample

    250503-jltbzasnx5

  • MD5

    3595326d6617235a676f8c8c463eeb56

  • SHA1

    bc9ca6566b16126346dc22b05eddd9e0b486fd13

  • SHA256

    f06ba40532dcff9fb33274736df81e56723f2daf2fd404452c5c57bf114e1258

  • SHA512

    33b8eb7ee5eb7a0cc0121bce83dee5eedd92363c91e88ac516f10f4b9e7f6e8e177b1514bd513b96cf65bc737d9c041c8ecbbefcf27ec9fd2de7ad441b4d271b

  • SSDEEP

    196608:3eMAnmXri4E/QzBn4cXzZMzzZTtshN9yOZwf2FT4tZQaAl+JSgnpL+:3Hi645Lsj9dZwf2yAlQT+

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTM2Nzg2Mjg5NzQ1MTIwODk2NQ.Gx9ncb.vsL_LsFugQQKccYboZPqni28_ebCnaMh1_jZdU

  • server_id

    1367435617499349002

Targets

    • Target

      CrackMethod.exe

    • Size

      10.3MB

    • MD5

      3595326d6617235a676f8c8c463eeb56

    • SHA1

      bc9ca6566b16126346dc22b05eddd9e0b486fd13

    • SHA256

      f06ba40532dcff9fb33274736df81e56723f2daf2fd404452c5c57bf114e1258

    • SHA512

      33b8eb7ee5eb7a0cc0121bce83dee5eedd92363c91e88ac516f10f4b9e7f6e8e177b1514bd513b96cf65bc737d9c041c8ecbbefcf27ec9fd2de7ad441b4d271b

    • SSDEEP

      196608:3eMAnmXri4E/QzBn4cXzZMzzZTtshN9yOZwf2FT4tZQaAl+JSgnpL+:3Hi645Lsj9dZwf2yAlQT+

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Discordrat family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Sets desktop wallpaper using registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks