Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 14:28
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win10v2004-20240426-en
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
33f218bd11394698c4448e7ffa84c254
-
SHA1
f2a05b616b318007daf0cde3f938a706aeb27cde
-
SHA256
712a42256cf7c2f28f3830dc2f75ee733da382fbe9d5aa16c6d725e893309e5a
-
SHA512
94f339fd837b8529594c76c777a12da45066a99c4f047cd124d8465e3eaef7029e75a625eccf68e91bdb29c1ad2b827faaa005306de07fa28898f2dcfa6b5866
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC
Malware Config
Extracted
discordrat
-
discord_token
MTI0Mjg1MDk4NTg3Nzk2Njk4MQ.G0Waz3.y89y4wvxDnICewngCCu5gBaewpajwh45av-jE8
-
server_id
1242851356293992600
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
Processes:
flow ioc 59 discord.com 11 discord.com 43 discord.com 45 raw.githubusercontent.com 46 discord.com 47 discord.com 9 discord.com 22 discord.com 42 discord.com 44 raw.githubusercontent.com -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Client-built.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2796 Client-built.exe Token: 33 912 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 912 AUDIODG.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x29c 0x49c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2796-0-0x0000025274550000-0x0000025274568000-memory.dmpFilesize
96KB
-
memory/2796-1-0x00007FFE63123000-0x00007FFE63125000-memory.dmpFilesize
8KB
-
memory/2796-2-0x0000025276C60000-0x0000025276E22000-memory.dmpFilesize
1.8MB
-
memory/2796-3-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmpFilesize
10.8MB
-
memory/2796-4-0x0000025277460000-0x0000025277988000-memory.dmpFilesize
5.2MB
-
memory/2796-5-0x00007FFE63123000-0x00007FFE63125000-memory.dmpFilesize
8KB
-
memory/2796-6-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmpFilesize
10.8MB
-
memory/2796-7-0x0000025276BD0000-0x0000025276C46000-memory.dmpFilesize
472KB
-
memory/2796-8-0x0000025276210000-0x0000025276222000-memory.dmpFilesize
72KB
-
memory/2796-9-0x00000252762F0000-0x000002527630E000-memory.dmpFilesize
120KB
-
memory/2796-10-0x0000025276FE0000-0x000002527708A000-memory.dmpFilesize
680KB
-
memory/2796-14-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmpFilesize
10.8MB
-
memory/2796-15-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmpFilesize
10.8MB