Analysis
-
max time kernel
24s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 21:38
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/prozs/prozs-discord-rat213/releases/tag/tdyfdthghg
Resource
win10v2004-20240419-en
General
-
Target
https://github.com/prozs/prozs-discord-rat213/releases/tag/tdyfdthghg
Malware Config
Extracted
discordrat
-
discord_token
MTIxMzI4MDI1NjAyMzA3Njg5NA.GveW0R.ix7wxnhmtDgVJBA935N0LYDpabG_OiOeCTfS-s
-
server_id
1213280045418946560
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 5580 rat.exe 5824 rat.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 42560.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2088 msedge.exe 2088 msedge.exe 4996 msedge.exe 4996 msedge.exe 1124 identity_helper.exe 1124 identity_helper.exe 5452 msedge.exe 5452 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5580 rat.exe Token: SeDebugPrivilege 5824 rat.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe 4996 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4996 wrote to memory of 1564 4996 msedge.exe 84 PID 4996 wrote to memory of 1564 4996 msedge.exe 84 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 1012 4996 msedge.exe 85 PID 4996 wrote to memory of 2088 4996 msedge.exe 86 PID 4996 wrote to memory of 2088 4996 msedge.exe 86 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87 PID 4996 wrote to memory of 2308 4996 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/prozs/prozs-discord-rat213/releases/tag/tdyfdthghg1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ff8f8ab46f8,0x7ff8f8ab4708,0x7ff8f8ab47182⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:22⤵PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:12⤵PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5724 /prefetch:82⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 /prefetch:82⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵PID:336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,12095906955015640093,14821864773326925972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5452
-
-
C:\Users\Admin\Downloads\rat.exe"C:\Users\Admin\Downloads\rat.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5580
-
-
C:\Users\Admin\Downloads\rat.exe"C:\Users\Admin\Downloads\rat.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5824
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58b2290ca03b4ca5fe52d82550c7e7d69
SHA120583a7851a906444204ce8ba4fa51153e6cd494
SHA256f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2
SHA512704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d
-
Filesize
152B
MD5919c29d42fb6034fee2f5de14d573c63
SHA124a2e1042347b3853344157239bde3ed699047a8
SHA25617cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141
SHA512bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD53aabe056e2817080edca003067ad8154
SHA1a11021e8181b9faf7fd5cf82a82348bcb1c35353
SHA256c1bdf6ccaa8b4da4bb2697e0f4f8489d014090aea95ba4db6046332fbde56941
SHA512f2a83d94ec8564b1d456d9564c2f090342141cf853e847b04f27ad9846aa66a1ad0491aff9b9040f310a4657861859aa8365570f71205ade2130534b554e66b1
-
Filesize
6KB
MD57b7503fb60ac85b2c74009d1acc23632
SHA10c247a063607f6c81161424abd3307923f8e35e5
SHA256ddc40e00bba818d84c3f1dfc55c98dc69958e593aaf3ea950e21e18cbe31f150
SHA512482e02592b3d84b9c1318faac22ead7e7e2b40fe5532646a8bf324819fcb01e6d11cb8288d6301006935221b368421d30f2b2bf38084353ec103b328a17cb9d9
-
Filesize
5KB
MD59b27ea91c6b6e06e6e70bbd206452e14
SHA1e2904c380628aedda0daeb5fc22647c5eabaa3bb
SHA256b48848f8d0c154a002c16fc7d1c960a9a2753f977b5a3baa21231ec990706a90
SHA5121dd48cdf5fafd16c9360f850f9400997725bb777e6f15b5d5cc0925ed704722d300270658ada8af96446bb07f415f627a9040ab6d79edbd3e1bf6a7248f946e9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5674bc794ffeab2b122eb0056c78b13fc
SHA15df953ef2c196501f8d3b52b1a3dd103acba05aa
SHA256b60ff9def0f4823f00ab4688dfb70b17e674c399b6f9771ba167039e93057db4
SHA5125bc57d0e41c001cd77a7a866057c776fb68c53b3d94733ecb0c2cb03dd3a6bcc78e21952c31a746d730b06524522c01c8c4996380e5c9b182b2bbbdc0fe67505
-
Filesize
11KB
MD5e3eb88023c819643d3ab1dd301008ccd
SHA130f45c85c96310d244e67ccedf8d3c6440838104
SHA25688dd1e264b74c455a50d4fc4edda9e0a2a0c0b02270203c852f208c83acfe2b8
SHA512a414cc820cf7ea1195fef20046965009a03edbbfee2ba95d96f5f74bb25b8b1ca6f6a3ee2e1d05f7a74142a29c0a6930a146a1dd1914c85fc811cf7395df9791
-
Filesize
78KB
MD56fbaec84cf3c3787dec548526fe42602
SHA14dc9583b879426d9d3c165d704b7407d0e54122d
SHA2567c2769f954420d83e5ee29ccf568792b7d5c8ae1fcbe90ed9fdc660cc3c607a4
SHA512e1173bd7445ad13a0d9d3edc42ad2890eccfb0470ba174ae77962f58f7ada6550494aa730cd5911327f650ae7137ad9729ba4cc674fe6481fae51af98eb226b1