Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/a...

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/02/2024, 22:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/aaxxdf3/ddsfsfsdfsdfsdf/raw/main/Client-built.exe

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxMTQzNzU5MDQ5OTI5NTIzMg.GpONR6._Rni5PrO0yqc8NWGa8-HTk0PcqpAyMqNVajsB8

  • server_id

    1211437379387134023

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/aaxxdf3/ddsfsfsdfsdfsdf/raw/main/Client-built.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9564546f8,0x7ff956454708,0x7ff956454718
      2⤵
        PID:3712
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4744
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
        2⤵
          PID:416
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
          2⤵
            PID:2400
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
            2⤵
              PID:4164
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
              2⤵
                PID:3400
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
                2⤵
                  PID:4084
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                  2⤵
                    PID:4024
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
                    2⤵
                      PID:3300
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3972
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
                      2⤵
                        PID:2872
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
                        2⤵
                          PID:1236
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
                          2⤵
                            PID:4884
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4500 /prefetch:8
                            2⤵
                              PID:2164
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6280 /prefetch:8
                              2⤵
                                PID:3564
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4720
                              • C:\Users\Admin\Downloads\Client-built.exe
                                "C:\Users\Admin\Downloads\Client-built.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1948
                              • C:\Users\Admin\Downloads\Client-built.exe
                                "C:\Users\Admin\Downloads\Client-built.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1288
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2311627551242569374,6903899488173948739,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1364 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3780
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1624
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4416
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:5032
                                  • C:\Users\Admin\Downloads\Client-built.exe
                                    "C:\Users\Admin\Downloads\Client-built.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3812

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    58670ac03d80eb4bd1cec7ac5672d2e8

                                    SHA1

                                    276295d2f9e58fb0b8ef03bd9567227fb94e03f7

                                    SHA256

                                    76e1645d9c4f363b34e554822cfe0d53ff1fce5e994acdf1edeff13ae8df30f8

                                    SHA512

                                    99fe23263de36ec0c8b6b3b0205df264250392cc9c0dd8fa28cf954ff39f9541f722f96a84fbc0b4e42cfd042f064525a6be4b220c0180109f8b1d51bbdef8ff

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    3782686f747f4a85739b170a3898b645

                                    SHA1

                                    81ae1c4fd3d1fddb50b3773e66439367788c219c

                                    SHA256

                                    67ee813be3c6598a8ea02cd5bb5453fc0aa114606e3fc7ad216f205fe46dfc13

                                    SHA512

                                    54eb860107637a611150ff18ac57856257bf650f70dce822de234aee644423080b570632208d38e45e2f0d2bf60ca2684d3c3480f9637ea4ad81f2bcfb9f24d5

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                    Filesize

                                    261B

                                    MD5

                                    2c2e6472d05e3832905f0ad4a04d21c3

                                    SHA1

                                    007edbf35759af62a5b847ab09055e7d9b86ffcc

                                    SHA256

                                    283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

                                    SHA512

                                    8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    1483f95e2bdd86b5707933946d9d7c1b

                                    SHA1

                                    d28d883581bd37d73a6a06bf49457ac09937ad96

                                    SHA256

                                    7197f4e1b2b95dc60ce9d9d55b81b5418b414073d0f43aceee9e2eb902d96d6f

                                    SHA512

                                    c20425e416a55a7c0a128a36cf28ded77fa81f9354908fc9040110e59b10b359f34b0e102e336430a512974365b4d61de679a69d80f515f97d86e43f3d608a06

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    ad3552b039d4d9047b51defd5f4de503

                                    SHA1

                                    ea3c0185f15b8b6e260c426b875a0aee5fcdb8ad

                                    SHA256

                                    a8457551757edcf10baed2afc2b16d2a6cf227bc51cb3725618322ab1846948e

                                    SHA512

                                    c0c88a7ce140f6b9b729218dbe7b3c743cfa1942dcb3975346a437fe92bbfe382ab63e27f11f2ad3644b61c87c73ce93e1fe6a454a2fcabca1ae5ad2643698ee

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    4232f6e823848fb7192de06927b5137c

                                    SHA1

                                    0791543b35de74e34f672c3d4543c4b36b0ad517

                                    SHA256

                                    20b7b8caf5c7c0d2b9a841a4c74442c6b82a6f3f397aa87ce29ae722c7ea8842

                                    SHA512

                                    8cca361a81e1793851d2091c0e7f764353a15a0c9ccdf8ac489fc9cc7c8144d0647cfefbbf370e4fba2c3e77b08ec1120c1fd5d098af58a693923c0bdb662b30

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    cb2220b505491a161e1e7fd3bd5ee5ec

                                    SHA1

                                    125ee0a5641c1c4aa110e730d2649451c1568a4e

                                    SHA256

                                    a554bf5df73f57941d3f597f329fea061c7eda711a2f1d7e51a82afe58c4a2ae

                                    SHA512

                                    d315f00e77450eb6ffef15ad3305b51426ddb63a3a7ef16f2a28a34dece3208b20d5836577cd8bfecbecfc93ca32eaa28b72c3ff546329cb96855da4a345a4b3

                                    Download Submit

                                  • C:\Users\Admin\Downloads\Unconfirmed 531691.crdownload
                                    Filesize

                                    78KB

                                    MD5

                                    f00323f7e8b54eb583c25ea1571b6f5f

                                    SHA1

                                    02808a042b11a29b3ab99e3e1aa336d5a8585140

                                    SHA256

                                    d31a0b9e3d84480816dd7d12125e4c11213209b47256f63343a9e9e4b45f20b5

                                    SHA512

                                    b3e4700259c38064c4340e18d42259a2a424345714a4215b89f586a8dfc41686d69d4d0d78cd0cd136d5724c0a7cbd3bb2bc10ec22927ffae23583c87a635d69

                                    Download Submit

                                  • memory/1288-100-0x0000023801840000-0x0000023801850000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/1288-99-0x00007FF952C60000-0x00007FF953721000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/1288-113-0x00007FF952C60000-0x00007FF953721000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/1288-114-0x0000023801840000-0x0000023801850000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/1948-95-0x00007FF952C60000-0x00007FF953721000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/1948-96-0x0000020EF97D0000-0x0000020EF97E0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/1948-97-0x0000020EFCC40000-0x0000020EFD168000-memory.dmp

                                    Filesize

                                    5.2MB

                                    Download

                                  • memory/1948-94-0x0000020EFBAC0000-0x0000020EFBC82000-memory.dmp

                                    Filesize

                                    1.8MB

                                    Download

                                  • memory/1948-103-0x00007FF952C60000-0x00007FF953721000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/1948-93-0x0000020EF92F0000-0x0000020EF9308000-memory.dmp

                                    Filesize

                                    96KB

                                    Download

                                  • memory/3812-143-0x00007FF952C60000-0x00007FF953721000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/3812-149-0x00007FF952C60000-0x00007FF953721000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/3812-150-0x000002366FCB0000-0x000002366FCC0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download