Analysis
-
max time kernel
42s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 21:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Itsvirus922/DiscordGrabberV2
Resource
win10v2004-20240426-en
General
-
Target
https://github.com/Itsvirus922/DiscordGrabberV2
Malware Config
Extracted
discordrat
-
discord_token
MTIxOTQ5MDkxODAzODc2OTY2NA.GCWhKe.6yHHVnnOzdw61HTXFTC1asUdBYLSl90veg7sPQ
-
server_id
1208610723861893200
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
pid Process 5732 Builder.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 61 raw.githubusercontent.com 62 raw.githubusercontent.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3648 msedge.exe 3648 msedge.exe 4628 msedge.exe 4628 msedge.exe 4876 identity_helper.exe 4876 identity_helper.exe 4988 msedge.exe 4988 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5628 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 5628 7zFM.exe Token: 35 5628 7zFM.exe Token: SeSecurityPrivilege 5628 7zFM.exe Token: SeDebugPrivilege 5732 Builder.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 5628 7zFM.exe 5628 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4628 wrote to memory of 3712 4628 msedge.exe 82 PID 4628 wrote to memory of 3712 4628 msedge.exe 82 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 2124 4628 msedge.exe 83 PID 4628 wrote to memory of 3648 4628 msedge.exe 84 PID 4628 wrote to memory of 3648 4628 msedge.exe 84 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85 PID 4628 wrote to memory of 2120 4628 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Itsvirus922/DiscordGrabberV21⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd521f46f8,0x7ffd521f4708,0x7ffd521f47182⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵PID:2120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:82⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5708 /prefetch:82⤵PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:2360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11568265368652515404,2838182991658316594,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:12⤵PID:1160
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4828
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1816
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5460
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Discord Grabber V2.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5628 -
C:\Users\Admin\AppData\Local\Temp\7zOCF5021F7\Builder.exe"C:\Users\Admin\AppData\Local\Temp\7zOCF5021F7\Builder.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
Filesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5a98f221016dbf88790b49e5ba9d2ff8f
SHA1b263109e4e275bc5fc6e680c8aeabd6c52e164a7
SHA256107da753f05ca7a6d14b2e786f647e189e08edc0a4130e11c3fda6226821668b
SHA5121fe782e844d5963d6bc26e72e542da9be5c8d37aaa536c346cdc129a4ec33e6ef68801b32ab19c73dcb45a93056e9fdde33c28ec3d09e6db1c367e6f2c700329
-
Filesize
6KB
MD5c279c07bdabe3894bebc3042921e8998
SHA1427da33b84100de59ebfb1e155a580a87dfcda60
SHA25656f318c36c675463b83d9e266981861d5eaa39d74298e6cb5e078bb104d0f578
SHA51238512f23008ed0358164c4f26762cc8d6e5f01c1d18881e0b5d2971f6e2119888cc4c0ecf806fae8651fb125f343dc50ca674b0a4e31af794ede741031380eb6
-
Filesize
6KB
MD535750618e3e837f2e55b5c65e1929ef9
SHA12e80321aefa4680ffbc23a1b6a46d5d4ee14163f
SHA256d6b1c4971a5a147445831a12e3039830949ed00a5848734be786df4d0d8dae95
SHA51262fc82bb9b6372134fda8e4919667f863fc8e5098803075aa574551bd955b2397c4162ed7a249f3ec4f3714dccb47a9e2bf93b33aebf1d853d50cc19b4fce4f6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c2b9507adc0ba1f499192e334b268b8f
SHA137f09bad9edafc670fd183b9fec6155bdcb7abd7
SHA2561be21977c05967b77a533f0836cf20e4717a4b6cb02c3da6986a03c6e386a520
SHA512bf8db559c76dfbc835068a85fe2de01bd8495f960803221de0a3f4dbd345c0154207115df2ba2aa72606466b43a43ce70e8dd0a47cb2134d3e5602bc6500171c
-
Filesize
11KB
MD5c46490f00c733fd0b477325e261283a9
SHA1a520c7fda93e48231d46c00b7fdb546f2514e4b0
SHA256257a25951febd2fc4366aba7b5d63ab07afa065369a2eadc0bd48d422cfa52af
SHA51268204001ca3c2606edf3fb7830c3bdaef572540a797971397dfe6638f49bd2359bbe7a6f909fb427cdb2fea708d1ad773515399a0d2f2fd9881933f09664fa42
-
Filesize
78KB
MD536f676ec3787a18ba20667b9c8ac6667
SHA16d61633e9e3448e81046d0b515c0f8a47154e673
SHA2562d7e4969115d50c25c4d9bd001a3e167493dd92471cee3493920711d61744e40
SHA5128b9487d9c66342c19c30b1513944baef57233048e332eab321551c58b16cf684d0ed124bb7f6496096644f7570f5a9a46f9fa9d0d2bc7fa78d52a60cdf63477d
-
Filesize
367KB
MD55f9b9efbca886733b4c6be743e66e8ae
SHA10ef3ee8d020f78cae1e11f9e6f38f92379b31f14
SHA2563b19d287a815c5fde094980dd4b1f2baef044f7d658039dfb43f22e02b62f47b
SHA512c5afea30ba5388e1b96345a69bb7e555b0aa747e49ea6bf7ffff75fe844525d40c56d44569056eb1d61360f2ad4cd67b232f0de92c2b56d7fb8c6d2a1914f431