Resubmissions
01-05-2024 15:23
240501-ssgfesca99 122-04-2024 08:54
240422-kvcw1shf99 1022-04-2024 08:50
240422-krk38ahf67 10Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 08:54
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://filetransfer.io/data-package/g83ORAG3#link
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
https://filetransfer.io/data-package/g83ORAG3#link
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTIzMDgwNjQ0NzM2NTk0NzQ1Ng.G2vGiE.8f97-UjGmmPjSih2nipyB83KB174hMORkyul_0
-
server_id
1229126898051973120
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 169 discord.com 178 discord.com 179 discord.com 197 discord.com 185 discord.com 190 discord.com 195 discord.com 165 discord.com 166 discord.com 175 discord.com 182 discord.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 4092 & .exe Token: SeDebugPrivilege 4552 & .exe Token: SeDebugPrivilege 4176 & .exe Token: SeDebugPrivilege 1964 & .exe Token: SeDebugPrivilege 512 & .exe Token: SeDebugPrivilege 4720 & .exe Token: SeDebugPrivilege 5248 & .exe Token: SeDebugPrivilege 5240 & .exe Token: SeDebugPrivilege 5288 & .exe Token: SeDebugPrivilege 5584 taskmgr.exe Token: SeSystemProfilePrivilege 5584 taskmgr.exe Token: SeCreateGlobalPrivilege 5584 taskmgr.exe Token: 33 5584 taskmgr.exe Token: SeIncBasePriorityPrivilege 5584 taskmgr.exe Token: SeDebugPrivilege 6132 & .exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe 5584 taskmgr.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filetransfer.io/data-package/g83ORAG3#link1⤵PID:2548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3784 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4724 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵PID:3640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5804 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5484 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵PID:5040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:4328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:2316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=3784 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵PID:2744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6172 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:4880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6348 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:5064
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6364 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:3288
-
C:\Users\Admin\Downloads\& .exe"C:\Users\Admin\Downloads\& .exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
C:\Users\Admin\Downloads\& .exe"C:\Users\Admin\Downloads\& .exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6476 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:4296
-
C:\Users\Admin\Downloads\& .exe"C:\Users\Admin\Downloads\& .exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
C:\Users\Admin\Downloads\& .exe"C:\Users\Admin\Downloads\& .exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
C:\Users\Admin\Downloads\& .exe"C:\Users\Admin\Downloads\& .exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:512
-
C:\Users\Admin\Downloads\& .exe"C:\Users\Admin\Downloads\& .exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
C:\Users\Admin\Downloads\& .exe"C:\Users\Admin\Downloads\& .exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5240
-
C:\Users\Admin\Downloads\& .exe"C:\Users\Admin\Downloads\& .exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5248
-
C:\Users\Admin\Downloads\& .exe"C:\Users\Admin\Downloads\& .exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5288
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5584
-
C:\Users\Admin\Downloads\& .exe"C:\Users\Admin\Downloads\& .exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6132