Analysis

  • max time kernel
    38s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 20:43

General

  • Target

    https://github.com/MivyGitHub/Discord-rat-v2/blob/main/release.rar

Malware Config

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/MivyGitHub/Discord-rat-v2/blob/main/release.rar
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7df246f8,0x7ffd7df24708,0x7ffd7df24718
      2⤵
        PID:3500
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        2⤵
          PID:868
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:412
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
          2⤵
            PID:2988
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
            2⤵
              PID:3108
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
              2⤵
                PID:3332
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
                2⤵
                  PID:3112
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:652
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5512 /prefetch:8
                  2⤵
                    PID:1752
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
                    2⤵
                      PID:1064
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4448
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
                      2⤵
                        PID:1228
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
                        2⤵
                          PID:2956
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
                          2⤵
                            PID:5176
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,1029293569925543494,16645041151761134120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
                            2⤵
                              PID:5184
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4292
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4204
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:5608
                                • C:\Program Files\7-Zip\7zFM.exe
                                  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\release.rar"
                                  1⤵
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:5732
                                  • C:\Users\Admin\AppData\Local\Temp\7zO466C57F7\builder.exe
                                    "C:\Users\Admin\AppData\Local\Temp\7zO466C57F7\builder.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    PID:5868
                                  • C:\Users\Admin\AppData\Local\Temp\7zO4667DE97\Discord rat.exe
                                    "C:\Users\Admin\AppData\Local\Temp\7zO4667DE97\Discord rat.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:6096

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  c9c4c494f8fba32d95ba2125f00586a3

                                  SHA1

                                  8a600205528aef7953144f1cf6f7a5115e3611de

                                  SHA256

                                  a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

                                  SHA512

                                  9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  4dc6fc5e708279a3310fe55d9c44743d

                                  SHA1

                                  a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

                                  SHA256

                                  a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

                                  SHA512

                                  5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                  Filesize

                                  1KB

                                  MD5

                                  8f54b47b75b7cfca7f9d24cbdfcd079b

                                  SHA1

                                  9883f8e6f10b081cd82f91a95fe9aec0e895d483

                                  SHA256

                                  59124a6baf2d64e6bf1a540d94e58d0ce87d760b5ff071da63086ec88c29a69d

                                  SHA512

                                  598f25e15c629a729ee78d8fc35d0b84a7f1ee54fab41356d64f018e2ed24502bf06cbc0d6b1d0faae50e93e6dc2a07a9100afa6fc5243dc147bf64e511f5ecc

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  ecf197ea76b4c073125d7277f472984e

                                  SHA1

                                  e68d69a79cdd7e03402c26d09ff53f843f8c241b

                                  SHA256

                                  7c2ec250c739405db1d1c681f8340d1234ea72190a4590a81bbbcd29047562ca

                                  SHA512

                                  47908eeea3f3245b746de4ec22cf8332f3ee45ea13dfb641c5e1c112abb3df673bc5ea390c5cac4d5d5a9d2e82556872115526013c48a135c29392cd6368a3d7

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  89eea6056a16f3c7cdb3f83d230c68d0

                                  SHA1

                                  49cd8868deb75fd13cf9eaeed9833e31ad8ff116

                                  SHA256

                                  ca315cd8faf5d80f610973485a5d880c073236d906faa3545a652fd833b288b8

                                  SHA512

                                  8fee10c61c33f2c97cc79d30566ef16b83a235597fe932b5eb281392ea357ae0da41845a6fba00144be32bf50d42c3a811a63c6f8d2f721d06585ed231773217

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  46295cac801e5d4857d09837238a6394

                                  SHA1

                                  44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                  SHA256

                                  0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                  SHA512

                                  8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  206702161f94c5cd39fadd03f4014d98

                                  SHA1

                                  bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                  SHA256

                                  1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                  SHA512

                                  0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  11KB

                                  MD5

                                  64bd105b5f6765a55394d12df73efce4

                                  SHA1

                                  47f4c2ab0be98b17653248e1ef4a750e4202438f

                                  SHA256

                                  7997ce9f030f33b905a7065e409ec74979b89924709e3a2d08a483406cb55237

                                  SHA512

                                  7db3bf4b616c9176fbeecc6696eff9afbe0ed402131b077a981136e0e2161077400aa54f7582071937a76c17aa9be7c77daf840a7300ceba17973e1030356e51

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  11KB

                                  MD5

                                  26121c4d6924a5692506964d7eb261ff

                                  SHA1

                                  9d842ed52bc76d7eae10d4bce3d83dc07b72e1d1

                                  SHA256

                                  6cbad555b3754df2df362e6e00d4c001e79252e7f1c5f5b3463a26dd4c349f80

                                  SHA512

                                  e6af67bf63ef1dbc5a985a7c45290118727718256fee3d9b9c2173fbd46fb22efd05fd8966ecfd9f2e404d0d0d2dec4fc89afffa38e8f8ae00b60e3626739ec4

                                • C:\Users\Admin\AppData\Local\Temp\7zO4667DE97\Discord rat.exe

                                  Filesize

                                  79KB

                                  MD5

                                  d13905e018eb965ded2e28ba0ab257b5

                                  SHA1

                                  6d7fe69566fddc69b33d698591c9a2c70d834858

                                  SHA256

                                  2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

                                  SHA512

                                  b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

                                • C:\Users\Admin\AppData\Local\Temp\7zO466C57F7\builder.exe

                                  Filesize

                                  10KB

                                  MD5

                                  4f04f0e1ff050abf6f1696be1e8bb039

                                  SHA1

                                  bebf3088fff4595bfb53aea6af11741946bbd9ce

                                  SHA256

                                  ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

                                  SHA512

                                  94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

                                • C:\Users\Admin\Downloads\release.rar

                                  Filesize

                                  372KB

                                  MD5

                                  86ded4ef1ad1d859f0754dfe45faa694

                                  SHA1

                                  a03f08b39818ee9599311f4e8c1052f6294d7fe0

                                  SHA256

                                  a4f18c25395dd65414110cfb3fe7727c1f72735823611da092d4a2b1db64611f

                                  SHA512

                                  a73087b759ef0618964a440514177fb869cb993ce7ce9840d991b37967f72032af25a65b5dc7bb6d6bef7dc9c1dbe9c5bc1cd0ec05470600487682ee92fbba48

                                • memory/5868-213-0x0000000005BA0000-0x0000000006144000-memory.dmp

                                  Filesize

                                  5.6MB

                                • memory/5868-214-0x00000000055F0000-0x0000000005682000-memory.dmp

                                  Filesize

                                  584KB

                                • memory/5868-215-0x0000000005690000-0x000000000569A000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/5868-212-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/6096-228-0x0000013CEB380000-0x0000013CEB398000-memory.dmp

                                  Filesize

                                  96KB

                                • memory/6096-229-0x0000013CED9A0000-0x0000013CEDB62000-memory.dmp

                                  Filesize

                                  1.8MB

                                • memory/6096-230-0x0000013CEE1A0000-0x0000013CEE6C8000-memory.dmp

                                  Filesize

                                  5.2MB