Overview

overview

10

Static

static

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 21:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    7f755065cad905389dafe07f6e20e73f

  • SHA1

    7f9e8c2f562b6188082fdbaf71c32f0da356dc96

  • SHA256

    71d721537769fce1df1ccc3fd010a23655e558e90dadc50fb153cf3d5bfbccf3

  • SHA512

    0e540fa60e52bec83d11c353ac5447586ca71534ec5d81b4f4be941ed28e363fbd380ede88a94b9d9d84e39486c11d9a45be6497bfe07a424fe436bc4faf2f92

  • SSDEEP

    1536:A2WjO8XeEXFu5P7v88wbjNrfxCXhRoKV6+V+APIC:AZQ5PDwbjNrmAE+kIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    https://canary.discord.com/api/webhooks/1246215833953505412/9uXKZChffplNEDpn0FQSblZ-X9VTnpusfXJXgPLFJdJTmsErgGeosG6esqtb_YHLiRZo

  • server_id

    1246211698583670787

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4020
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4608
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4972
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1944
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4020-0-0x0000019D0AB70000-0x0000019D0AB88000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4020-1-0x00007FFA34033000-0x00007FFA34035000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4020-2-0x0000019D252F0000-0x0000019D254B2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4020-3-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4020-4-0x0000019D259F0000-0x0000019D25F18000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4020-18-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4608-17-0x00000276D98E0000-0x00000276D98E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4608-6-0x00000276D98E0000-0x00000276D98E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4608-7-0x00000276D98E0000-0x00000276D98E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4608-16-0x00000276D98E0000-0x00000276D98E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4608-15-0x00000276D98E0000-0x00000276D98E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4608-14-0x00000276D98E0000-0x00000276D98E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4608-13-0x00000276D98E0000-0x00000276D98E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4608-12-0x00000276D98E0000-0x00000276D98E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4608-11-0x00000276D98E0000-0x00000276D98E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4608-5-0x00000276D98E0000-0x00000276D98E1000-memory.dmp

      Filesize

      4KB

      Download