Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    244s
  • max time network
    245s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    f131e9a605657417a6d9ee4897236762

  • SHA1

    e673c6da09e605351bd12c596292621ca1c1a063

  • SHA256

    0cd8c108e213285ce93c085181e35a446d040b788338acab6ff8d02f9620a572

  • SHA512

    cddeba715d9fb981f86d67449dc989c3472286ec97f3de2773f770582cdcea3071222fcd94d6286a2800b83fcb845001bac0175e664a1e7d8aa07e8dff70cb9e

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC

Score
10/10
discordratpersistenceratrootkitspywarestealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxNjIxNTUyNTI4MjI4MzU4MA.GBK6jN.COZl9FTvEhXWGR_iVRAo7f9RXb-CLOQVgRSCWA

  • server_id

    1216215871526277180

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{6c37ee8c-4956-47e8-863d-a1407a1234cf}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Windows\SYSTEM32\SCHTASKS.exe
        "SCHTASKS.exe" /create /tn "$77Client-built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Client-built.exe'" /sc onlogon /rl HIGHEST
        2⤵
        • Creates scheduled task(s)
        PID:3208
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x3d4 0x2f8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:448
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:968

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/968-26-0x0000022365F30000-0x0000022365F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/968-38-0x0000022365F30000-0x0000022365F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/968-37-0x0000022365F30000-0x0000022365F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/968-35-0x0000022365F30000-0x0000022365F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/968-36-0x0000022365F30000-0x0000022365F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/968-34-0x0000022365F30000-0x0000022365F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/968-33-0x0000022365F30000-0x0000022365F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/968-32-0x0000022365F30000-0x0000022365F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/968-28-0x0000022365F30000-0x0000022365F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/968-27-0x0000022365F30000-0x0000022365F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2632-19-0x0000000140000000-0x000000014018A000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2632-18-0x0000000140000000-0x000000014018A000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2632-25-0x0000000140000000-0x000000014018A000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2632-21-0x0000000140000000-0x000000014018A000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2632-20-0x0000000140000000-0x000000014018A000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4408-24-0x00000221368E0000-0x00000221368FE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4408-12-0x0000022137940000-0x0000022137C0A000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/4408-17-0x00007FFBE9020000-0x00007FFBE90DE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/4408-16-0x00007FFBEAA70000-0x00007FFBEAC65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4408-22-0x00000221374E0000-0x0000022137556000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4408-23-0x0000022133E00000-0x0000022133E12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4408-14-0x000002211AE80000-0x000002211AE8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4408-15-0x0000022137EA0000-0x00000221381F8000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4408-13-0x00000221336E0000-0x00000221336F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4408-0-0x00000221190E0000-0x00000221190F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4408-11-0x00000221336E0000-0x00000221336F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4408-7-0x0000022136920000-0x00000221369CA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/4408-6-0x00000221336E0000-0x00000221336F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4408-5-0x00007FFBCC9C0000-0x00007FFBCD481000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4408-4-0x0000022133F30000-0x0000022134458000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4408-3-0x00000221336E0000-0x00000221336F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4408-2-0x00007FFBCC9C0000-0x00007FFBCD481000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4408-1-0x0000022133730000-0x00000221338F2000-memory.dmp

      Filesize

      1.8MB

      Download