General

  • Target

    Launcher.exe

  • Size

    12.0MB

  • Sample

    250503-pxm7zssxfv

  • MD5

    029c99a29dc6529c8a8c9953005d3af9

  • SHA1

    d4085f84bc6459f4398cc36bdc61b95782a55697

  • SHA256

    a8731ec248d5acf168211386a8696a419dfc420fb80eabc8999c198f9d8414ab

  • SHA512

    f5446cea66225b3ac77e41099964ff9c71182a6c5d3b0ab71c62ea0feb675084f513656fe2ff628b13f6b5ce7ed3ffdd1759bda731da87f90c54e3ee9b5d904b

  • SSDEEP

    98304:R3Iu4+DcNoST67eJamaHl3Ne4i3gDUZnhhM7M+yvFaW9cIzaF6ARwDtyDe2H6RjE:RYp+DyTMeNoInY7/sHfbRy96RjA041

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTM2Njg3ODc3MDE2MTY0Nzc3Nw.G-IZTJ.N8Jaao_9e0eCVGOJFOrU0lZAYXxOf02xMVX9uk

  • server_id

    1366871247698526329

Targets

    • Target

      Launcher.exe

    • Size

      12.0MB

    • MD5

      029c99a29dc6529c8a8c9953005d3af9

    • SHA1

      d4085f84bc6459f4398cc36bdc61b95782a55697

    • SHA256

      a8731ec248d5acf168211386a8696a419dfc420fb80eabc8999c198f9d8414ab

    • SHA512

      f5446cea66225b3ac77e41099964ff9c71182a6c5d3b0ab71c62ea0feb675084f513656fe2ff628b13f6b5ce7ed3ffdd1759bda731da87f90c54e3ee9b5d904b

    • SSDEEP

      98304:R3Iu4+DcNoST67eJamaHl3Ne4i3gDUZnhhM7M+yvFaW9cIzaF6ARwDtyDe2H6RjE:RYp+DyTMeNoInY7/sHfbRy96RjA041

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Discordrat family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks