Analysis
-
max time kernel
71s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
12-05-2024 01:46
General
-
Target
https://github.com/Wyskooo/Token-Grabber-Webhook-Discord
Malware Config
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Wyskooo/Token-Grabber-Webhook-Discord1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc4c46f8,0x7ff9cc4c4708,0x7ff9cc4c47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5444 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,17551481726304867494,14053907621015411833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\setup.exe"C:\Users\Admin\Downloads\setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Ven1-Grabber-main\Ven1-Grabber-main\release\builder.exe"C:\Users\Admin\Downloads\Ven1-Grabber-main\Ven1-Grabber-main\release\builder.exe"1⤵
-
C:\Users\Admin\Downloads\Ven1-Grabber-main\Ven1-Grabber-main\release\Release\Discord rat.exe"C:\Users\Admin\Downloads\Ven1-Grabber-main\Ven1-Grabber-main\release\Release\Discord rat.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
Filesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
Filesize
2KB
MD5edbd46c9a64c70cf745e23b529db6cb7
SHA1f68d3321a3f64c56fc199170addb6d42d03157dc
SHA256fcdf2980918d1836b80010d5e7278961f0ded85c31f84ff394034201b455c8fb
SHA5129238da668c247007c20a945c56b21be0432f73a5b6e7ce65551a0d8d8eb61b24feb66c739a046051bffefeade2e16baa05b0333d7151bf98e253bf16a7c687e0
-
Filesize
656B
MD5ac27a11f3095537a1e078e9fac232c9c
SHA17a9074ea261898bcce24fac68b7daae4bcf6d119
SHA256417a6fe8bc11e853ff08b8aaedcaa1d9a47e87c1857621451f00a5e686260f63
SHA5126abe4de0fc487f72b245293517257aa56a7cf15d7920c9a37b309abbd0aa7aceaf8aa104176f3ff713eb7b7ce919ad051548f00f36468e20436519670e221825
-
Filesize
6KB
MD5cf836f9e2782f825715879687ab26110
SHA11cd25951538d5082c0f72d385bd4615e36b9b5b1
SHA256167a0e1c18b264493f45bd083cf105e7fb6a06d90922553b1099434ad79b21c4
SHA5126b186a82aab4942d9a0bdcbbd5a5a8d920aa78ec361ab1a99cd7c1e24c9df36758a2cb59053054ca39d944dec8ffd91258c9d3688f8b772375c150d587788503
-
Filesize
6KB
MD51ac79516194cbebad401871c4adfc938
SHA13acfef649cad245f377c73fb0429712225d4afd9
SHA256c83de48caa0304da5c3a36300ab53fec411f34c92c5cc514cffbd467d3d095ff
SHA512e9ef1fda80c8d0b199d8fc60f49433c894862f3fa6e641f1ed01f02efb91fd48eb85f837cb04f6c4f62933339e4f129f802ab06ced31ee9ad086d12d3e4105ef
-
Filesize
6KB
MD544e2d4b47bbf80671fc99a986628f4ec
SHA1ab8feb6a684ae98878f4feb385074cd50b0d2ecd
SHA256c248a2e6a5305c0cf6e0f7ee5141dee3e6feb0f83821d2ba99e525cc33781394
SHA5129a9c045b81a4cd391cd8cad6695bc23f92a7479213b7254807d9766cd629946065494b3cafe2c203350352eccecb353ca41e3b67cde0a08ed62104f4479adff8
-
Filesize
1KB
MD506f5f9297b00b19dd2d77b0739bfcbf9
SHA150dc625a4bf61f99bc4cb06e2c56f6d483948149
SHA25662135c86bbf688e7bba4f393d563967f29f16a35e5cc692c4e95ff038e247219
SHA51201bb0abd7e3c0f459516014825671b68d2f6a3618b87a73f7a50515eeb7475ffe1d961a2d3b3c6be122d2f1d34d2cf870b6736d882ea2b81632afd482d3e89c6
-
Filesize
1KB
MD5fa7fd81c1f85f747a306c94df4bef803
SHA137c71a78c7e6fd6c2f994dbb9fa9354b3eb52d36
SHA256b8de6e9d64e22999c6f747032eb17c310b901bb8a796a6ad20566fbff5759129
SHA5120628a9a81e356cd92c12566eb8d8a5603b776a16d7c970cb055de4d739f125f6b0adfacbaca908e39d81f1a98321adc7061303f4c7137eec424d6baf0f7a7912
-
Filesize
1KB
MD5d32c6e0b88b6426ac4db7e4a8180c45a
SHA1032d267122f28277b28ef628fb2775644cceda4e
SHA256c989fb187d08ef621a62b69e644318b7f4553ade21cbaec51d1976c6a2b63dd7
SHA51256d08442c3e757279f6f808a9a7f0e66e446820110cc3f09ae02256c0cdf350906d09697b929f4cabd7c1f3d6056d9d72bbc525f6b8b8389f126a953e415cbd3
-
Filesize
1KB
MD51738e604dbdf7174cb364f02b6487752
SHA170482d9a232c788854b3d59e6f9fcaa7aaa56a9d
SHA2563101f6229512e9f3c0fcd023d8a1ef15072f4e42c12395358dfc2cbf34def7f1
SHA5128d08e718b56ed7500d65e9409c4428c00fc31fda18a7de6b8de67beaf0e2ab10bd7d3ad89a65a759230746b301d4954b40932e6a5414142d30a7586040b8936d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD52f46d93f943a5917b53cdc9e4a9d72ab
SHA1b7fcabafeec92c2cc520325198636352c8abbfe7
SHA2561bd891622bd100293bfbd0e82d4d4a0eaa6599a2409c0f27828c3d997f695c07
SHA5121cae9199000c667c06a55f146fba5e35337cb82fa26906f9d59392de38de96bc2b74ebb6ce42bb0ec5964f88676de8f9b49f0aac73a967ca6502d93e1bed1334
-
Filesize
11KB
MD5e2cad05575dfa079c455a82e5ba69f20
SHA1744bd533ad82dfd6f1c135ce169df88f16b35ea3
SHA256a5de4c52b24e4e1d551e576f836fa5702823db9ac20c260d01f25ddd580fab90
SHA5129bc93f613c82510152427bed7d9500564826a89b7222fac9ade855feee54e13591ab6b953b151de1b5d8f3c1072d6dfbbb97fa2454030cb594b9fa35a7542ff2
-
Filesize
78KB
MD59b5e862c8e697c2d5d60f248647eecca
SHA1a4c505154a42a49fd2728a2975da495d86bdfbc0
SHA256f5db7bf99fd192a159bba933944ec95493d0e897f9cd5a4915f63d2cab904567
SHA5129d22c1bed2a8a4b7378d7bdbb9b283ec1749b593231fc240c107f7de18a3f4d9881a6cdc74fb5d70ea922e46247f71b89f3a925086caa9a379f6bb54d58bd510
-
Filesize
448KB
MD5dcbaa236eb5c83addc0ac84e9976964e
SHA1908bafeeebae60c8a71d23c38c46dce0ed156c0e
SHA256f2a537ce9f942fdd0020bd72568b4252f735dce75a9d9e0fc77af51ca0a69d01
SHA5122a8879173177de0fb383fb528f61fed6b4635d9817244adab455d806c1330da180af7660580af029746cd76daf23db6089790c90f94e772003c1f7b462d03a5d
-
Filesize
96KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
32KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
96KB