MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef157ef0c2228c7330945a5f690d476ab084e0346fa2ba61915d7d8677445132. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DiscordRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash:	ef157ef0c2228c7330945a5f690d476ab084e0346fa2ba61915d7d8677445132
SHA3-384 hash:	03f0cb3377022be0594319e34af13688c78580c127b66ba0bfaaf992975c0ef1409e1dacf51968d23d0db05321aaa26f
SHA1 hash:	506c531da3924ebdcf4073a69da3112df5b280b8
MD5 hash:	f981e97f983857e621a4b366fc436d52
humanhash:	johnny-uranus-winner-island
File name:	Cristalixy_protected.exe.bin
Download:	download sample
Signature	DiscordRAT Create hunting rule
File size:	11'659'264 bytes
First seen:	2025-03-16 11:47:05 UTC
Last seen:	2025-03-16 12:44:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 46 x PureHVNC, 28 x RedLineStealer)
ssdeep	196608:XQKzaOgqrFIoj9WkR6INhOjw3YIVVtfYdgcgOWYuVIRM2h:5z60Vc+6INoM3YIVVt0zuC
Threatray	143 similar samples on MalwareBazaar
TLSH	T1CAC63351C25808A5EA296AB31E9B534E401FED7107F9B1276200FC992D1E91FC6F6BCF
TrID	38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	KatzenTech
Tags:	DiscordRAT exe

Intelligence

File Origin

# of uploads :

# of downloads :

376

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Cristalixy_protected.exe

Verdict:

Malicious activity

Analysis date:

2025-03-15 22:32:07 UTC

Tags:

discord websocket exfiltration stealer evasion ims-api generic themida discordrat rat

Link:

https://app.any.run/tasks/1ebd0569-3d27-4861-a161-bad553d07bf0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d6cb2d3962f1a6f471e325

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ef157ef0c2228c7330945a5f690d476ab084e0346fa2ba61915d7d8677445132

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/927634c9-76fc-4c9f-8d2d-e0d311dc51ed

Result

Threat name:

Discord Rat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1639858

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found direct / indirect Syscall (likely to bypass EDR)

Found malware configuration

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Yara detected Discord Rat

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ef157ef0c2228c7330945a5f690d476ab084e0346fa2ba61915d7d8677445132

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef157ef0c2228c7330945a5f690d476ab084e0346fa2ba61915d7d8677445132/

Threat name:

Win32.Trojan.DiscordRat

Status:

Malicious

First seen:

2025-03-15 22:32:09 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=54kx54gcekghgmeuljpwsdkhnkyijybun6rluymrlv6ym52ekeza._file

Verdict:

malicious

Label(s):

discordrat

DiscordRAT

4eeeac2b172af8bd424644ca260c9bebf8ebc075d5172b3ff3cf5a8c7b80442e

DiscordRAT

58a0d1fd9b55bfd5b46f3509b3c770fc1832cfa883cc17e83dc88fb203b37b64

DiscordRAT

656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47

DiscordRAT

666c246bd662275c5a7330b4de2e51a7f86556390c0b79b1d774378e7eac8cb0

DiscordRAT

error

DiscordRAT

f44b54751b7158902476013aed1fbcfec96bc0ab19b3303d088dec97f418885e

DiscordRAT

+ 133 additional samples on MalwareBazaar

Result

Malware family:

discordrat

Score:

10/10

Tags:

family:discordrat defense_evasion persistence rat rootkit stealer themida trojan

Link:

https://tria.ge/reports/250316-nxxwrazxcy/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Discord RAT

Discordrat family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a1637c6b-2402-4df5-84bc-95044621de52

Unpacked files

SH256 hash:

ef157ef0c2228c7330945a5f690d476ab084e0346fa2ba61915d7d8677445132

MD5 hash:

f981e97f983857e621a4b366fc436d52

SHA1 hash:

506c531da3924ebdcf4073a69da3112df5b280b8

Link:

https://www.unpac.me/results/11678b87-4bd7-4fc6-b33f-a150bb9c8393/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef157ef0c2228c7330945a5f690d476ab084e0346fa2ba61915d7d8677445132

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	discordrat_v1 Create hunting rule
Author:	RandomMalware

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (NX_COMPAT)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample