Analysis
-
max time kernel
73s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 19:31
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20240412-en
Errors
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
bc2d2dd6fe16371f18c219fa523d5c93
-
SHA1
7d1e801321c72587a7d0aa49e4f43555e7758789
-
SHA256
ab216a4c330fce82b5bf0449d35fd2d7d9c89a47c0d80e2278d272a99f420687
-
SHA512
174bd64722e56bcf14f4b4610894c4b332932e34e1bdd7c2421a63644ee24f8c86a2a9902579a8baaf44c91e70db9092e21196fc28e1cc621d4c28df385876d3
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC
Malware Config
Extracted
discordrat
-
discord_token
MTEwNjU4NzkwNTg0MzAxNTczMQ.Gy9GZf.nefUfqGXXz1F_0UeH8PUa3eemxkDVD-rvvZ3VI
-
server_id
1215373982082146314
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1140 created 604 1140 Client-built.exe 5 -
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 57 discord.com 59 raw.githubusercontent.com 32 discord.com 55 discord.com 58 discord.com 61 discord.com 60 raw.githubusercontent.com 63 raw.githubusercontent.com 67 discord.com 68 discord.com 16 discord.com 17 discord.com 56 discord.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1140 set thread context of 3084 1140 Client-built.exe 96 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1140 Client-built.exe 3084 dllhost.exe 3084 dllhost.exe 3084 dllhost.exe 3084 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1140 Client-built.exe Token: SeDebugPrivilege 1140 Client-built.exe Token: SeDebugPrivilege 3084 dllhost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 1140 wrote to memory of 3084 1140 Client-built.exe 96 PID 3084 wrote to memory of 604 3084 dllhost.exe 5 PID 3084 wrote to memory of 684 3084 dllhost.exe 7 PID 3084 wrote to memory of 960 3084 dllhost.exe 12 PID 684 wrote to memory of 2616 684 lsass.exe 46 PID 3084 wrote to memory of 384 3084 dllhost.exe 13 PID 3084 wrote to memory of 392 3084 dllhost.exe 14 PID 684 wrote to memory of 2616 684 lsass.exe 46 PID 3084 wrote to memory of 880 3084 dllhost.exe 15 PID 3084 wrote to memory of 1116 3084 dllhost.exe 17 PID 3084 wrote to memory of 1124 3084 dllhost.exe 18 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 684 wrote to memory of 2496 684 lsass.exe 44 PID 3084 wrote to memory of 1132 3084 dllhost.exe 19 PID 3084 wrote to memory of 1164 3084 dllhost.exe 20 PID 3084 wrote to memory of 1224 3084 dllhost.exe 21 PID 3084 wrote to memory of 1292 3084 dllhost.exe 22 PID 3084 wrote to memory of 1352 3084 dllhost.exe 23 PID 3084 wrote to memory of 1412 3084 dllhost.exe 24 PID 684 wrote to memory of 2616 684 lsass.exe 46 PID 3084 wrote to memory of 1512 3084 dllhost.exe 25 PID 3084 wrote to memory of 1540 3084 dllhost.exe 26 PID 3084 wrote to memory of 1560 3084 dllhost.exe 27 PID 3084 wrote to memory of 1652 3084 dllhost.exe 28
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:604
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:384
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a67c10e3-00a5-4f26-b2a7-a195b8844d17}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1124
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1412
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3956
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3952
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3604
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2496
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140