Analysis
-
max time kernel
145s -
max time network
138s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-04-2024 13:40
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip
Resource
win11-20240412-en
General
-
Target
https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip
Malware Config
Extracted
discordrat
-
discord_token
3esajhhwajww
-
server_id
4366564254
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 3048 Client-built.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\release.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1796 msedge.exe 1796 msedge.exe 1520 msedge.exe 1520 msedge.exe 4984 msedge.exe 4984 msedge.exe 5052 identity_helper.exe 5052 identity_helper.exe 4820 msedge.exe 4820 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe 1392 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3048 Client-built.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 5020 1520 msedge.exe 80 PID 1520 wrote to memory of 5020 1520 msedge.exe 80 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 5068 1520 msedge.exe 82 PID 1520 wrote to memory of 1796 1520 msedge.exe 83 PID 1520 wrote to memory of 1796 1520 msedge.exe 83 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84 PID 1520 wrote to memory of 2608 1520 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moom825/Discord-RAT-2.0/releases/download/2.0/release.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe3f463cb8,0x7ffe3f463cc8,0x7ffe3f463cd82⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:22⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵PID:2384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:12⤵PID:248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:12⤵PID:568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵PID:1060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,11520299408213096715,9594093969925797854,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6000 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1392
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1844
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1980
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:228
-
C:\Users\Admin\Downloads\release\builder.exe"C:\Users\Admin\Downloads\release\builder.exe"1⤵PID:4628
-
C:\Users\Admin\Downloads\release\Client-built.exe"C:\Users\Admin\Downloads\release\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD557e5c5a9236321d336e2c8ce1eeff844
SHA18fd4288af72ba3f7a0ecc5583a9265723fefc096
SHA256ae6496cf397848bf3139858deaf567e3df991bab5a7704a0fa7aae95474872d7
SHA512bc3f24afe6ce0494022d8201a01a60239ac5cfee54e0650a337036817056424b418cb636d58d07e5034dffe2226906202b56509e4cc07562c0b60f618c420080
-
Filesize
152B
MD5493e7e14aceba0ff1c0720920cccc4a2
SHA1468f39cefbcf14a04388b72d4f02552649bf3101
SHA256a0dd32ed60115f661a4ca537472e0d4e230ff844d56a3db766299cf4cd817842
SHA512e16c748e4513ea10bf7124cef7b50dc5f3a1802205af9228e0c33fdbf3c24286739db08db4b813079ed7cc36be43d7457f4c26f00ae3126a2fafd77d2696107a
-
Filesize
265B
MD5f5cd008cf465804d0e6f39a8d81f9a2d
SHA16b2907356472ed4a719e5675cc08969f30adc855
SHA256fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d
-
Filesize
5KB
MD5735dbd9c4f9b0bdecfcf285899db527e
SHA11c198a883456ef4e3965d3543673cade0fe20083
SHA256871031872446ac51d97cd1df029ed9819c281baefa9ff240bef62b6ec92223cf
SHA512c241a44d158b3344df57280a1ec3e8a24f6b12059789f45d250cb3214f128f9c2d1aac3e29eb9961194f62f1d746193d4828381cfe4ffcfc68ec2c5e25e4aba8
-
Filesize
6KB
MD59b6096a2fdcf2f745b30915422889f45
SHA1bcad8c24b4752997e9f39efc6a33b30298ff7d46
SHA25662bec58941413f8210b2309978bd978eca4995e83242fe017367faeb91188a6a
SHA5122c1da471df41a83473d2bded0f0a9b6ddd1fcf2595a01627a5807a0b5f208392aaf3dd49b791161b8775977590ba8a4671ecd739c9e14e8670b24e00dd7ee3d1
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5683901abfaf4be26d2703f843bd1c48a
SHA1bc2e915512da0445c8398789a5909929e0231aad
SHA2560afc91942e6b0dcbdb15b4d91d80ada1ebfb8bd126a0f1e4935f0f6cd5b80645
SHA5123d3bb0e5776f414db3b709a653532f8ab61aedcf275287f651bcf6bd11d1ab40fc5799eaf68883f346d3457ea4e193a887fe3573f19a9403b0a23ce2fce499bb
-
Filesize
445KB
MD506a4fcd5eb3a39d7f50a0709de9900db
SHA150d089e915f69313a5187569cda4e6dec2d55ca7
SHA256c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
SHA51275e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b
-
Filesize
580B
MD58f22f0210b6ff8629ea88a94bce27d10
SHA1108708345804a2d08c9281da8680c8c78ae56244
SHA256de0508b360fb288930cf5592a20009e87703b75d7d33fbebbfd91f130bbd3426
SHA512cb8460ea1fee90cf5393b6b3903365507ec53c2a8417f86d4fe04888d47e82faafb5c134778763d1f672bae14ddca0560d20150bdb0dc9c60384b844036a2db6
-
Filesize
78KB
MD5555cf4e75d5bedca18542201e509dee3
SHA18c944d977a3263f076c8b98e336671395a26eeff
SHA256f403ff4ebe77e24db7b2efc26872277c93b115455e8a4b5b1a973ef72ba0c32a
SHA512cc12af223006d367315ff1b725d16d137203c5ba76e5040be95b35d7510653ac53ea35d5efd393f2513f38666b16899d97eb1cc2076167ea163f2a128a9dadff