Analysis
-
max time kernel
281s -
max time network
291s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 22:17
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20240412-en
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
7c16d8d9eca7c5ea3c0919afce4a42a8
-
SHA1
db2d93ddef2d96fc687b11830781c54d549b7d3c
-
SHA256
52ab6102c24d59bcc88d6d5311e8f7404e69b17233ba995bbd162326782ac412
-
SHA512
4dd267a609ee31405d0353186ac2588afe760c401fe43d8958fa6c7a9ecbb65665ee120876f49a6760de1cd703791516f9ff7362a8355ac1b53f002a2af80312
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+KPIC:5Zv5PDwbjNrmAE+WIC
Malware Config
Extracted
discordrat
-
discord_token
MTIyNzU5OTczMjkwMjMzMDM3OQ.GGJ-EF.ITvPrvNzJvdqzhVFGBeM8xjGUkZMvbKmCPGwDw
-
server_id
1221811060135170099
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1936 WINWORD.EXE 1936 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3176 Client-built.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1936 WINWORD.EXE 1936 WINWORD.EXE 1936 WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1936
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3716