Overview

overview

10

Static

static

10

Client-built.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-05-2024 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    de09ec6cf640a8b26391f70e1243e712

  • SHA1

    669ce7e781522bcadb745e4e50ce12c903f043b5

  • SHA256

    d82bc37ca66a2c6b78dcf7934a818d3d7692890fffe98104f30e71d9f0875e73

  • SHA512

    f146d29dfc1922e719e07f58a659a540f75d08cd20f1b54fd5070b7cfaa748c83de6ee47e80b60269530c790a3d6962f84b1a08a6459041378e6c2b36e6d01e2

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+dPIC:5Zv5PDwbjNrmAE+NIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzNDU2NzE3OTczMTczMDQ5Nw.GCNDco.4i7LGmddJq3Pm_4DoLSiC2SvJgPZvHtymWAy_Y

  • server_id

    1195057881633001625

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4500
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2120
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.0.1217162386\91578367" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14c21fb8-2b58-44ec-8600-956a7107d39e} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 1780 229eded7858 gpu
          3⤵
            PID:3028
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.1.732460067\742105435" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b81109f9-a936-4f8d-aad6-bff018f7e502} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 2136 229e2f72b58 socket
            3⤵
            • Checks processor information in registry
            PID:4592
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.2.1478592391\1985456341" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2684 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a58d31fc-ba8d-4d2e-bc86-24d8c00557ca} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 2784 229ede5e858 tab
            3⤵
              PID:4912
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.3.318499345\567280461" -childID 2 -isForBrowser -prefsHandle 992 -prefMapHandle 1264 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c650be4c-aa3e-4ca9-908a-22a6e67dbf20} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 3672 229e2f62b58 tab
              3⤵
                PID:4180
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.4.379315991\764594682" -childID 3 -isForBrowser -prefsHandle 4168 -prefMapHandle 4164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a5fbe9e-2e13-4842-b555-633163bd75af} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 4180 229f3046758 tab
                3⤵
                  PID:2124
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.5.2104511973\11087095" -childID 4 -isForBrowser -prefsHandle 4912 -prefMapHandle 4900 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f0fb379-0e2c-4833-8749-3d7b716c33b7} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 4924 229e2f67b58 tab
                  3⤵
                    PID:784
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.6.1016318484\1528600245" -childID 5 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7df48f2a-7a6e-4977-b0e5-8c31142d4873} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 4728 229f450fa58 tab
                    3⤵
                      PID:2820
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.7.705348247\1836000752" -childID 6 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42b6a5d2-a6ee-4377-8598-15ed38d38325} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 5204 229f4510358 tab
                      3⤵
                        PID:4520
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.8.1694858547\479258347" -childID 7 -isForBrowser -prefsHandle 5692 -prefMapHandle 5104 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d04158bc-fb43-42e2-8839-842048429e2c} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 5424 229f6335b58 tab
                        3⤵
                          PID:3764
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.9.1365183442\1962007239" -parentBuildID 20221007134813 -prefsHandle 3236 -prefMapHandle 3228 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {986136d8-ef37-4e06-991d-23f614403ffb} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 2640 229f5551658 rdd
                          3⤵
                            PID:884
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.10.527046910\411198552" -childID 8 -isForBrowser -prefsHandle 5468 -prefMapHandle 2640 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d170f99-10b6-4777-9756-ce9b7a630476} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 4280 229f55d9d58 tab
                            3⤵
                              PID:2604
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4612.11.583383974\452362053" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6068 -prefMapHandle 6064 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c31a2e94-2d66-4c1a-a488-36e5cd5a745c} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" 6036 229f55dbe58 utility
                              3⤵
                                PID:2192

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Persistence

                          Privilege Escalation

                          Defense Evasion

                          Credential Access

                          Discovery

                          Query Registry

                          2
                          T1012

                          System Information Discovery

                          1
                          T1082

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Web Service

                          1
                          T1102

                          Impact

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\doomed\15551
                            Filesize

                            113KB

                            MD5

                            00fdc0df893570084d4e5d9aabcf2e45

                            SHA1

                            0b2e2efd65bf092e2b89a8ebb908af4f0436cb58

                            SHA256

                            ace169ba5ad8ceb08bfcb4697aec7e98b780374b5b9d54d23e2762a97c2afbec

                            SHA512

                            7b116875a41dda194185ed727b8a52ec3a7d9e0f7a8dd9ede94994b1c65db9ef4fee52f805334af018c5e8073f845f1e4527395058ab9d3f37256f38f2a7b441

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
                            Filesize

                            2KB

                            MD5

                            3e4d48bf4832d8d263510ab8bb1bdfbe

                            SHA1

                            b4f054a5942abd026c5e2cad0a57b9e53d83b157

                            SHA256

                            37729954e23fdd837d100a12f6565e279f45f0e042b4824a9459d401ccc11ccb

                            SHA512

                            854308c7355d5605001071efb55903d769fef0b910222eb464768c6beab80173519f011a83cdec0a53dad3bac5324c67baf273ddd0460783736e619f3fd4ae00

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\f9eb1699-4b16-4e03-8a29-2a1c525d2493
                            Filesize

                            11KB

                            MD5

                            9f2866decaa8b29f2b94fe5b4890b7f4

                            SHA1

                            456ea23f58ccee6d7f0a65c744094f2ed6a7b479

                            SHA256

                            a4a735c6bcc8f26b6c0214bb0fdbc1e9e1cb46f11490e4f371c6a5e6ccc77c5b

                            SHA512

                            8b8c016ea36e00171dfa393c199f95897e75130d4e021608f3f4874e6b845ec093be37b0e6d531ec74e34c369c97a15a3a8adf13a7ce672abccfdfdb53a17e82

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\ff977d8a-1585-4127-ad01-84cebd0265cd
                            Filesize

                            746B

                            MD5

                            6c0de46836715db0bb000dd148f0bccb

                            SHA1

                            1fc5f0ad194f0b1ed4042e0269de6bbd54fcb2fc

                            SHA256

                            6b88a8fed01b08f935059ae4b8b5f7950f67cd581eb86242e3d2b603587ad2fc

                            SHA512

                            f6ae94c1c5264f4d4d71abed15dae6875be99c700d21078415bba3e95fb66453be0adde1e45ae009aff730921a9fb413e4b4f1160f362d845b246b8a27dd0771

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            6cf05535e79145ffb74719f3a757f266

                            SHA1

                            9bddeaff8535efe2d2347cced74c827dd8a93047

                            SHA256

                            37cedf5b60839b21bf99c8dbf7213840fb6a567e5e93db0555d618f4a3e891af

                            SHA512

                            e62531d84dc517044e7b7541390dc0957648b0993b142f0f9c33ad474edc3bba663c6bd0cae7433f95ef940c8c3df71a96a5ffe1d3eaa216588282fef019e78a

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
                            Filesize

                            6KB

                            MD5

                            47fc7afcd37014ff8e25470540701eef

                            SHA1

                            70e38248b2036c8e81618581d062d983003bacad

                            SHA256

                            bdc7579541b035246a6a86f453077d1aa2bbc1df9a3301c6ecda96e9e0aed9ce

                            SHA512

                            48e094d6a53e112b2e4eb1d861166601655509770f309421ce4299c95f4b1422d1c343be6e8da6670ec9f0c83eaf2639281962e989e292d92871d1d61e219bd9

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            2KB

                            MD5

                            c96335c87a0f1d27d591f5595b4e9dc7

                            SHA1

                            1cd0724df3c79ea2af295981b78f5a8e0f7940ae

                            SHA256

                            c7f4525d5ca5416cc6de391939904a026364981d0b4f0ca0c4cf3263b82d8b02

                            SHA512

                            89b94f2adecd4dba5d63057822f26ff0620ee65af7cb6a906163974779048452007308667a0c401087aea91b1f243dc98fe03e76c65b1552778506f656a1ff17

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            2KB

                            MD5

                            6f4d530d29076c4c128811f10c5a62b6

                            SHA1

                            333e25a8870b7c09c2ea7163d58d888d4061b34b

                            SHA256

                            dfcf095039ba87de7fb4e36337c84b561bd951da641df03326b2d52bedcc232a

                            SHA512

                            fbd6eac1795519c66e7b7963c1103d978a52aafd4ceda60ffe29f7b2b70b2fa51bf3a6ea26d27db69de5790f5d038fcf3ff9e0ae1a80aebcd228bfbda59208f6

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4
                            Filesize

                            2KB

                            MD5

                            9ea4b4111bf007d162595ab40796b39e

                            SHA1

                            a6d8590b478e784e7b052fe49fcdaf433fd794dd

                            SHA256

                            d076e2bbc6fbd2e0e6efb840a8aa632050083c7cc0197a024eeb534d934e5844

                            SHA512

                            be19deddbac9dffa5a91bda93e2e784848fd47d08fa0be2c13be2a41e5fa52e5ca76cedb6fb41d78b074a91647e8b44516eed6d184abd88b2d11fb41b8890710

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                            Filesize

                            184KB

                            MD5

                            0d0013d9708d9fef539adc917f5b87f6

                            SHA1

                            5e071e6b4d8abf007c8bb78ee948caf5bb0439e1

                            SHA256

                            f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b

                            SHA512

                            851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388

                            Download Submit
                          • memory/4500-5-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp
                            Filesize

                            9.9MB

                            Download
                          • memory/4500-4-0x000001CFE1170000-0x000001CFE1696000-memory.dmp
                            Filesize

                            5.1MB

                            Download
                          • memory/4500-3-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp
                            Filesize

                            9.9MB

                            Download
                          • memory/4500-2-0x000001CFE0970000-0x000001CFE0B32000-memory.dmp
                            Filesize

                            1.8MB

                            Download
                          • memory/4500-0-0x000001CFC6200000-0x000001CFC6218000-memory.dmp
                            Filesize

                            96KB

                            Download
                          • memory/4500-1-0x00007FF8C9B73000-0x00007FF8C9B74000-memory.dmp
                            Filesize

                            4KB

                            Download