discordrat | 97ffdc85eaf253b0bf73ff4c7218ba69c633163d68a8c81b1cca26d37413a2ec

Analysis

max time kernel
125s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

26bbb735944110bb972f756f4ddf3043
SHA1

dc4b9bc259eae6e2844f544eccc77d25b55643b6
SHA256

97ffdc85eaf253b0bf73ff4c7218ba69c633163d68a8c81b1cca26d37413a2ec
SHA512

3f95f8606a340c3998cc28c136af6b700976328f66d21f8159baca1258978e9ce8d6568c1796ae2a5067b9a66c5134640c759e737ee2e77505fcad7873dde513
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+PPIC:5Zv5PDwbjNrmAE+3IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyNTU4MTkxODM5ODE4NTQ5NA.Gw9CZ8.yYe5hL8D8XiPvhntF1xwye-frottc7F_HntHW0
server_id
1222772434135158806

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2396 created 624	2396	Client-built.exe	5

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
150	discord.com
119	discord.com
120	discord.com
123	discord.com
126	discord.com
127	discord.com
147	raw.githubusercontent.com
148	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 4668	2396	Client-built.exe	116

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2396	Client-built.exe
2396	Client-built.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe
4668	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	Client-built.exe
Token: SeDebugPrivilege	2396	Client-built.exe
Token: SeDebugPrivilege	4668	dllhost.exe
Token: SeShutdownPrivilege	388	dwm.exe
Token: SeCreatePagefilePrivilege	388	dwm.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 2396 wrote to memory of 4668	2396	Client-built.exe	116
PID 4668 wrote to memory of 624	4668	dllhost.exe	5
PID 4668 wrote to memory of 676	4668	dllhost.exe	7
PID 4668 wrote to memory of 964	4668	dllhost.exe	12
PID 676 wrote to memory of 2668	676	lsass.exe	49
PID 4668 wrote to memory of 388	4668	dllhost.exe	13
PID 4668 wrote to memory of 724	4668	dllhost.exe	14
PID 676 wrote to memory of 2668	676	lsass.exe	49
PID 676 wrote to memory of 2668	676	lsass.exe	49
PID 4668 wrote to memory of 1016	4668	dllhost.exe	16
PID 676 wrote to memory of 2668	676	lsass.exe	49
PID 676 wrote to memory of 2668	676	lsass.exe	49
PID 4668 wrote to memory of 1072	4668	dllhost.exe	17
PID 4668 wrote to memory of 1088	4668	dllhost.exe	18
PID 676 wrote to memory of 2668	676	lsass.exe	49
PID 676 wrote to memory of 2668	676	lsass.exe	49
PID 4668 wrote to memory of 1156	4668	dllhost.exe	19
PID 676 wrote to memory of 2668	676	lsass.exe	49
PID 4668 wrote to memory of 1204	4668	dllhost.exe	20
PID 4668 wrote to memory of 1240	4668	dllhost.exe	21
PID 4668 wrote to memory of 1324	4668	dllhost.exe	22
PID 4668 wrote to memory of 1392	4668	dllhost.exe	23
PID 4668 wrote to memory of 1432	4668	dllhost.exe	24
PID 4668 wrote to memory of 1460	4668	dllhost.exe	25
PID 4668 wrote to memory of 1476	4668	dllhost.exe	26
PID 4668 wrote to memory of 1616	4668	dllhost.exe	27
PID 4668 wrote to memory of 1632	4668	dllhost.exe	28
PID 4668 wrote to memory of 1672	4668	dllhost.exe	29

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a30ba255-4df5-49af-a399-6ac2cb97f610}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4668

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1672

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2244,i,861925222566734100,5228329984880658054,262144 --variations-seed-version /prefetch:8
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-40-0x0000027B68C90000-0x0000027B68CBA000-memory.dmp

Filesize
168KB

Download
memory/388-30-0x0000027B68C90000-0x0000027B68CBA000-memory.dmp

Filesize
168KB

Download
memory/624-21-0x000002AD58610000-0x000002AD5863A000-memory.dmp

Filesize
168KB

Download
memory/624-75-0x000002AD58610000-0x000002AD5863A000-memory.dmp

Filesize
168KB

Download
memory/624-118-0x000002AD58610000-0x000002AD5863A000-memory.dmp

Filesize
168KB

Download
memory/624-18-0x000002AD585E0000-0x000002AD58603000-memory.dmp

Filesize
140KB

Download
memory/624-27-0x00007FFA295AF000-0x00007FFA295B0000-memory.dmp

Filesize
4KB

Download
memory/624-24-0x00007FFA295AD000-0x00007FFA295AE000-memory.dmp

Filesize
4KB

Download
memory/676-37-0x00007FFA295AF000-0x00007FFA295B0000-memory.dmp

Filesize
4KB

Download
memory/676-34-0x00007FFA295AD000-0x00007FFA295AE000-memory.dmp

Filesize
4KB

Download
memory/676-32-0x00000261B39D0000-0x00000261B39FA000-memory.dmp

Filesize
168KB

Download
memory/676-25-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/676-22-0x00000261B39D0000-0x00000261B39FA000-memory.dmp

Filesize
168KB

Download
memory/724-43-0x000001C8E2960000-0x000001C8E298A000-memory.dmp

Filesize
168KB

Download
memory/724-36-0x000001C8E2960000-0x000001C8E298A000-memory.dmp

Filesize
168KB

Download
memory/724-39-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/964-42-0x00007FFA295AC000-0x00007FFA295AD000-memory.dmp

Filesize
4KB

Download
memory/964-38-0x0000027A86900000-0x0000027A8692A000-memory.dmp

Filesize
168KB

Download
memory/964-29-0x0000027A86900000-0x0000027A8692A000-memory.dmp

Filesize
168KB

Download
memory/964-33-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/1016-47-0x000001E8DAB70000-0x000001E8DAB9A000-memory.dmp

Filesize
168KB

Download
memory/1016-90-0x000001E8DAB70000-0x000001E8DAB9A000-memory.dmp

Filesize
168KB

Download
memory/1016-49-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/1072-51-0x000001D760110000-0x000001D76013A000-memory.dmp

Filesize
168KB

Download
memory/1072-54-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/1072-93-0x000001D760110000-0x000001D76013A000-memory.dmp

Filesize
168KB

Download
memory/1088-59-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/1088-58-0x0000013A91F00000-0x0000013A91F2A000-memory.dmp

Filesize
168KB

Download
memory/1156-57-0x0000017720970000-0x000001772099A000-memory.dmp

Filesize
168KB

Download
memory/1156-61-0x0000017720970000-0x000001772099A000-memory.dmp

Filesize
168KB

Download
memory/1156-60-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/1204-68-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/1204-67-0x0000016862FC0000-0x0000016862FEA000-memory.dmp

Filesize
168KB

Download
memory/1240-74-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/1240-71-0x000002A154280000-0x000002A1542AA000-memory.dmp

Filesize
168KB

Download
memory/1324-81-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/1324-79-0x000002759D830000-0x000002759D85A000-memory.dmp

Filesize
168KB

Download
memory/1392-83-0x00000184F32F0000-0x00000184F331A000-memory.dmp

Filesize
168KB

Download
memory/1392-84-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/1432-88-0x000001910EB90000-0x000001910EBBA000-memory.dmp

Filesize
168KB

Download
memory/1432-98-0x000001910EB90000-0x000001910EBBA000-memory.dmp

Filesize
168KB

Download
memory/1432-92-0x00007FF9E9590000-0x00007FF9E95A0000-memory.dmp

Filesize
64KB

Download
memory/1460-91-0x0000023BBADD0000-0x0000023BBADFA000-memory.dmp

Filesize
168KB

Download
memory/1460-113-0x0000023BBADD0000-0x0000023BBADFA000-memory.dmp

Filesize
168KB

Download
memory/1476-102-0x000002472F560000-0x000002472F58A000-memory.dmp

Filesize
168KB

Download
memory/1616-116-0x0000011E89B30000-0x0000011E89B5A000-memory.dmp

Filesize
168KB

Download
memory/1632-106-0x000001B125A90000-0x000001B125ABA000-memory.dmp

Filesize
168KB

Download
memory/2396-9-0x00007FFA288C0000-0x00007FFA2897E000-memory.dmp

Filesize
760KB

Download
memory/2396-3-0x0000028E04F40000-0x0000028E04F50000-memory.dmp

Filesize
64KB

Download
memory/2396-4-0x0000028E20310000-0x0000028E20838000-memory.dmp

Filesize
5.2MB

Download
memory/2396-5-0x00007FFA09A30000-0x00007FFA0A4F1000-memory.dmp

Filesize
10.8MB

Download
memory/2396-6-0x0000028E04F40000-0x0000028E04F50000-memory.dmp

Filesize
64KB

Download
memory/2396-7-0x0000028E067D0000-0x0000028E0680E000-memory.dmp

Filesize
248KB

Download
memory/2396-8-0x00007FFA29510000-0x00007FFA29705000-memory.dmp

Filesize
2.0MB

Download
memory/2396-1-0x0000028E1F260000-0x0000028E1F422000-memory.dmp

Filesize
1.8MB

Download
memory/2396-2-0x00007FFA09A30000-0x00007FFA0A4F1000-memory.dmp

Filesize
10.8MB

Download
memory/2396-0-0x0000028E04B60000-0x0000028E04B78000-memory.dmp

Filesize
96KB

Download
memory/4668-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4668-12-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4668-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4668-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4668-16-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4668-14-0x00007FFA29510000-0x00007FFA29705000-memory.dmp

Filesize
2.0MB

Download
memory/4668-15-0x00007FFA288C0000-0x00007FFA2897E000-memory.dmp

Filesize
760KB

Download