Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 12:30
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
4df04cff530018542d06b2c4d4fc1df2
-
SHA1
6022231e4020da6204c73884b334bf3c6a9f191a
-
SHA256
7887c12ad9d967cdaeb7aa252dbf92fee4ef65464fc839cf6d81e425d04843de
-
SHA512
fa584682fb31608eee5755687359cb8fc4011d7493d0bfe70623944476bccb31abf575c18fff3a2172f04921d7512399b2d01887967af283e852d5603b70fb83
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+TPIC:5Zv5PDwbjNrmAE+LIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTIyOTc2OTg1NDUyNTkwMzAyMg.GzXTTs.QvGKyBTRCwZ__Kp7MunohboXaQQ5HVQVdoWZgA
-
server_id
1169727745656365087
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 27 discord.com 67 discord.com 68 discord.com 80 discord.com 11 discord.com 62 raw.githubusercontent.com 76 discord.com 16 discord.com 63 raw.githubusercontent.com 12 discord.com 28 discord.com 75 discord.com 81 discord.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3652 Client-built.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:1896