Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-04-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    95279ec42bbd666cfd0687d17afaa14f

  • SHA1

    1715de9c85f1377385cd9e9d03c24c1f98880b20

  • SHA256

    d5f965b39387c018ecb153d1573df2dcd4772ed64bc61eb5ffa2aca00c9fe058

  • SHA512

    e23fcd902fb3bfa168ea2f2370d8c112ebe7b6f69b84103b6b58b927710c4a409329d781e5209523ead7171b1ed0468533a5564902d56d5bb936270c5ff2ae5b

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+JPIC:5Zv5PDwbjNrmAE+5IC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIyNTE2MjYyMzk2NDY4MDM2Ng.GhqsI6.zQNKyvLE0OxdAyNdfbB_zzCUQ4WNSRbzAQHH-A

  • server_id

    1225162463952109721

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4320
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.0.1204270734\1300376162" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efc6378f-c105-48bf-826a-780fbb281df1} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 1960 15bbe0ea858 gpu
        3⤵
          PID:2688
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.1.682278184\2018347796" -parentBuildID 20221007134813 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d31bfa59-0918-4482-b34f-4995745cc128} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 2360 15bbd831858 socket
          3⤵
          • Checks processor information in registry
          PID:4348
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.2.168441146\1623486848" -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3400 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aff6c45-8768-4f97-93b6-7c7f14fd7565} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 3204 15bbe05e458 tab
          3⤵
            PID:5464
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.3.1576311154\554080769" -childID 2 -isForBrowser -prefsHandle 3320 -prefMapHandle 3292 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db500f9c-a1af-4ab1-8749-899c42c063f5} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 3592 15bc2c1c758 tab
            3⤵
              PID:5568
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.4.1408364523\2146327249" -childID 3 -isForBrowser -prefsHandle 4576 -prefMapHandle 4568 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44d79843-320b-429c-98a8-57b4bf92a838} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 4572 15bc3cb9558 tab
              3⤵
                PID:5960
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.5.707373293\1339460771" -childID 4 -isForBrowser -prefsHandle 5220 -prefMapHandle 5204 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {badbc8b6-b4e5-49bb-89ba-7c1e114cfeee} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 5212 15bc3fd8158 tab
                3⤵
                  PID:5372
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.6.164533643\1468138272" -childID 5 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65e0ecaf-da58-45c4-9e81-4e9f34f3a493} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 5332 15bc4303b58 tab
                  3⤵
                    PID:5380
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.7.79820221\965863931" -childID 6 -isForBrowser -prefsHandle 5532 -prefMapHandle 5536 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90322030-edaa-4d0d-b691-0da3ea033621} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 5524 15bc4304758 tab
                    3⤵
                      PID:5384
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:5836

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    621e101709bb61b7d0ab75418e154838

                    SHA1

                    4f2a8cac1d7a1fd343227f27f3ac18f578f398f6

                    SHA256

                    983901609953c2b3ba6a22acb3f2f194fefac303cbe3568d3b72c9a222a6ddee

                    SHA512

                    c527522856bb555e30e301eced5981d1ccb60fbffe8d1010e9df6b1b10edfed9e5c91374ac95326b5dd15cfbb766f089395bb5d2c2183db76e6beb0c2272dfb1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\pending_pings\59022c1d-c248-420e-9143-30faadee3f03
                    Filesize

                    746B

                    MD5

                    064e886354812bc09ad633fa00ed1123

                    SHA1

                    723f170a7eaacba99e4e1a7e1e803119a8eb0e1b

                    SHA256

                    328b6ec41d1bbee609c0608048056f3b5743370fff7d111969aa0d6550b7b733

                    SHA512

                    15bb79c03f32717a5b825c79b8b00a73545f8e4cf94abbe0bf08ee577f91fd7ef18fa17f671ca1e79ca5f04b1838f9aa085e2e27ea0e0ee9e424a4d88f7f7f47

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\datareporting\glean\pending_pings\c3a67418-01ab-4088-a1cc-017f122c78ac
                    Filesize

                    11KB

                    MD5

                    c317d8e97c58f43faafb2f23a42b7e13

                    SHA1

                    b0672256cb0d11e6ea65292c7a20a73bd49ecc93

                    SHA256

                    8db51b5d8564131661ab90bcffde9d7a7fee80d7e0c39e7673479156cca90dc9

                    SHA512

                    4273d28fdc2aaf1d47962be66cb9dd0694c6c8a6e2b9ce60b1b78775272615c17b666900cb5ba27e966f8cf095928fbc9af96468bd30d3d493ae5252f463d00b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    a0e1bdfffcb6703a3e3a1891facb925c

                    SHA1

                    e6840769d5d4d40d5e3f51ee989043e2e2cd82f3

                    SHA256

                    f785a61252e1b78b1caef29e47de63f6fce00e0f23f10f5060c10bc53da3da04

                    SHA512

                    81fbedc63ae0f6081bcc14d5d988aadbd0fc8b9199c47b7dab495667acc628c1920ab28dad9421a6d94eaef75a2d925613def97a69e4541b27340cc1180b36fd

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    3804f30c08427a095603aa5f3aaff2b4

                    SHA1

                    cdddc8f7d5d5beff017667f7476f26fba1479934

                    SHA256

                    9c8e5f61c04df7cc2cb81b471c178c65e3acf6218289924450f5ec0c2943350e

                    SHA512

                    afdeaec6c0b2e3ecd4f64ff8cee3c9c10ea9a9eb486a2320d50daf7c7fe3cc33081f7b6b909e60f558856e50f99d5b95b98ae6e04b59421504dc8e2c2956dc06

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s7sufels.default-release\sessionstore.jsonlz4
                    Filesize

                    886B

                    MD5

                    5b924abadf35f8082820c4738c0a87a6

                    SHA1

                    a2f60186d0d3d8fc1796e5b7153afd99c084ad7c

                    SHA256

                    6f80f034c56af7ea0bedea804710dfd807503fd79ea806e5f1d1efcacb6f85b0

                    SHA512

                    936befb2b469447ea7350b312bd312fe87dd249d8c9de2bf87b2880f0b2543da5bd5b2458a5232c66bdc20cbaaced3b9b9c4824d2c7cc95e45866cfe9435dae0

                    Download Submit

                  • memory/4320-3-0x00000190F7F10000-0x00000190F7F20000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4320-6-0x00000190F7F10000-0x00000190F7F20000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4320-5-0x00007FFE39BD0000-0x00007FFE3A691000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4320-4-0x00000190F99F0000-0x00000190F9F18000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/4320-0-0x00000190F62E0000-0x00000190F62F8000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/4320-2-0x00007FFE39BD0000-0x00007FFE3A691000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4320-1-0x00000190F8940000-0x00000190F8B02000-memory.dmp

                    Filesize

                    1.8MB

                    Download