hxxps://github[.]com/moom825/Discord-RAT-2[.]0

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
16-05-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3384	msedge.exe
3384	msedge.exe
3040	msedge.exe
3040	msedge.exe
1352	identity_helper.exe
1352	identity_helper.exe
2796	msedge.exe
2796	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe
3040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1264	3040	msedge.exe	77
PID 3040 wrote to memory of 1264	3040	msedge.exe	77
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3324	3040	msedge.exe	78
PID 3040 wrote to memory of 3384	3040	msedge.exe	79
PID 3040 wrote to memory of 3384	3040	msedge.exe	79
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80
PID 3040 wrote to memory of 3812	3040	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moom825/Discord-RAT-2.0
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd244c3cb8,0x7ffd244c3cc8,0x7ffd244c3cd8
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,4355369079868949399,15611965974063680609,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5088 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d56e8f308a28ac4183257a7950ab5c89

SHA1
044969c58cef041a073c2d132fa66ccc1ee553fe

SHA256
0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

SHA512
fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f2eb94e31cadfb6eb07e6bbe61ef7ae

SHA1
3f42b0d5a90408689e7f7941f8db72a67d5a2eab

SHA256
d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

SHA512
9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
315bae8e42f8e02454007fb754e73024

SHA1
84d5e90167f4c57af4361aa282f49a20443effb0

SHA256
0c26a640d70650d7900493ec4a1cd7af5b112d73f0c2e7be6137ac93973b43a6

SHA512
6dd042b806b3352ff352e2ee6f1e0060623f3072fd69103cc9f76b4d2fd7176f55f730ddcb2d0b704925ab6e50e82462261e160a76ce674cc8d1877bf0036a7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
424B

MD5
686826013c02a5b6362e233099ef9a12

SHA1
f3f1ca41fc8308f02c9cbe0be70afaa2ed4ffe93

SHA256
78a2e34a14b6aacff9d89e4bd519ca0bbcc46e3eca3e3530facfd11a994fc135

SHA512
010e4e24d71ac32b575b7e3b27f4dc6f0fbdb3356adeaaea2a789cf813ef39e7ef8f27b54f09f7033601befb85d6b94c350d98c60588c7e469a884cd2ef63120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4a3d92b96227d8257d648c82921546fd

SHA1
7b3840de090792e24999aa0c2b5d0ade1a6ad265

SHA256
fbfecb27a5ee91c3ddaa5d91146227dd9f8919c1d327c0163599879a4351dee4

SHA512
f66a59aa8b5feb45707ed94cb9ad1ffd38852685818f497ef55456b0bcc971db9119af9235f39dbfb6410fcf45432c6c6214cbeed08b0892ae49b397641cc5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f2229f15ff8bf54a42a11a1663946e6a

SHA1
bd4c5674cac24e9e10119848e2dc977fb0caa1c0

SHA256
7e8a893fa09cfde5fd981ae5607650c75c10999e662fa2eeea0662352d7a49a2

SHA512
0619d636ef03088e0da6bebffcef6bcc8a9d3b1a5dabb1a3ca72c24675a2d5aa64c387080e8a453d67f87b9784b4eb144cfd0e2d4381a009a52b7b9e3c58ba65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2f3f0d03ed77c98bb82b05a5d135315a

SHA1
315b33239301ad9ea9608243f58a523028f36cee

SHA256
c715b4be026898e206c4ac2637158341001f875456df129da877d63ecc1ac285

SHA512
1ac5ead1b68cd813912c7e57628cc1736e4f4063fb8de1196a1d4b36de0e9ae50dedb523aa1f7d728e5b5bb5c75cc264bd95d68d9e9ce228720fea4c3d3b20a2

Download Submit