Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://shorturl.at/...

windows11-21h2-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    69s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-06-2024 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://shorturl.at/us7lS

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://shorturl.at/us7lS"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://shorturl.at/us7lS
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2316.0.1888269553\239651528" -parentBuildID 20230214051806 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c1d65d5-75f9-40f9-92c1-8a8fe251c062} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" 1832 2467ac0b958 gpu
        3⤵
          PID:4064
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2316.1.1494917607\1643861216" -parentBuildID 20230214051806 -prefsHandle 2348 -prefMapHandle 2336 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a8318fa-db9d-4efc-8613-0f28ce4848c6} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" 2376 2466e086b58 socket
          3⤵
            PID:3644
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2316.2.1557989565\2114495583" -childID 1 -isForBrowser -prefsHandle 3232 -prefMapHandle 3240 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b33a1e98-6f39-4b9e-8216-290f000f7ccd} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" 3236 2467dd2bb58 tab
            3⤵
              PID:2200
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2316.3.511991495\709457882" -childID 2 -isForBrowser -prefsHandle 3408 -prefMapHandle 3424 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e49c735a-b4fb-4ce2-bbdf-dcff8ed2bcf3} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" 3400 2466e076e58 tab
              3⤵
                PID:4188
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2316.4.2054886368\1808533223" -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5212 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eed1246d-ab06-4b7e-a16a-66a864f59cca} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" 5184 24682149858 tab
                3⤵
                  PID:1440
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2316.5.1536926321\51918635" -childID 4 -isForBrowser -prefsHandle 3136 -prefMapHandle 3008 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40b2fc06-53bf-4ad2-baa4-d4df17d1d0f9} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" 3092 2468362e858 tab
                  3⤵
                    PID:4048
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2316.6.1244569555\1376185794" -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fe723aa-333e-447d-9172-5ca86f6c8fe7} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" 5580 2468362bb58 tab
                    3⤵
                      PID:2228
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2316.7.1611172782\1597628075" -childID 6 -isForBrowser -prefsHandle 5772 -prefMapHandle 5776 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac976937-4846-442e-93bc-b8f5ff3746de} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" 4812 2468362eb58 tab
                      3⤵
                        PID:5056
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:1108
                    • C:\Program Files\7-Zip\7zG.exe
                      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\release\" -ad -an -ai#7zMap24022:76:7zEvent17155
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      PID:4464
                    • C:\Users\Admin\Downloads\release\Release\Discord rat.exe
                      "C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2556
                    • C:\Users\Admin\Downloads\release\builder.exe
                      "C:\Users\Admin\Downloads\release\builder.exe"
                      1⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:2348
                    • C:\Users\Admin\Downloads\release\Client-built.exe
                      "C:\Users\Admin\Downloads\release\Client-built.exe"
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3124

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      23KB

                      MD5

                      3dd04d7050d1d8718cd5afe93d1bc0c3

                      SHA1

                      d4a47999f055d51be69d6a8008134f40f3e536ce

                      SHA256

                      3d7786d244aab54df6e49ce31ccf7f27adb79749a87feec784cb175b214a5781

                      SHA512

                      17fca4b9ed0bb3a4069a3e721072ff81629018232e027df2dd98a1947ec0d5929ccf0bfd3bbdf4137ad48f590d31dee80b8d191c145e6c2e2dfe118d7e5070c8

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      1e42d8674e7e825c361113e24f55a016

                      SHA1

                      4576244a37aa5f63f7aae2125d13c066c94c6ee7

                      SHA256

                      29a9f314ebfdafe1bb3dae9fcab7e4c1874fe7cc8c3a11887a6069f428206efb

                      SHA512

                      74b8cadfd6ac4832fc5483b34dc98ca09a044890732504870e58bf678d7ef21caf3cc77a01585f86042fa53199f2bc1e357fcd1a2d2a57abd987b86dcf1f2567

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      6d303b675eed5732ffee6cc830d6d197

                      SHA1

                      9c63809251314859cd66afb73f371fa2921b3b4a

                      SHA256

                      299090e64b91c0808aa5d2230107f27355c21216f711f95781b7f9f53b4cd95d

                      SHA512

                      3381b6226af85264295460a82752d4614952017c39c6588741e878285ec08d12442eb7b0aa29a9b1d2c5fa3a65d805534c451fa684a133c82dbc3477643cd1a5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      e3b3f822bab6d44e9bf4afa82e26d0bd

                      SHA1

                      2beb91ec4076bb5e5e5c7edb90759669fb770f66

                      SHA256

                      8ae54bf6d6edbb21592d8444f4214fc3f92819de8546b0099feb1967c81a3604

                      SHA512

                      be1a98059e21c0a048b5878d0ad13a502e8512cb3e8ccab22b0d9f68710f54b88d7b7bece18823ba6a93556cd775f3bf29a9e0c850f37000d8ed483fdb287d2e

                      Download Submit

                    • C:\Users\Admin\Downloads\release.oRSdGBeC.zip.part
                      Filesize

                      196KB

                      MD5

                      d678cd12dbebff98f3ec7fda0a384f28

                      SHA1

                      4fc2ebf50f156c8c8c979b80de501299eabe3386

                      SHA256

                      68e60c074e827632e78c8644f0b86000279163b44213cc7a3245f1e200b9f120

                      SHA512

                      edb00e32a1ac8e1b451c2425d5b323776cc2f6b2e8446e07e2621972bf23d86d49cccae746528d86ac5c4aecac36d7af565cea29af712a9206064f84e08ed50d

                      Download Submit

                    • C:\Users\Admin\Downloads\release.zip
                      Filesize

                      445KB

                      MD5

                      06a4fcd5eb3a39d7f50a0709de9900db

                      SHA1

                      50d089e915f69313a5187569cda4e6dec2d55ca7

                      SHA256

                      c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

                      SHA512

                      75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

                      Download Submit

                    • C:\Users\Admin\Downloads\release\Client-built.exe
                      Filesize

                      78KB

                      MD5

                      5fa78b19ae158350ead3ef50feb6a7a2

                      SHA1

                      57d57ca525968fd9d5a9ee38e783e288896caa01

                      SHA256

                      1d4914ee768fbaf1b82a860ace972a01338c12a05ff7dbdde42bfab43b21a4d5

                      SHA512

                      c0d0803b5ceaa4c3013132ead8d8a95faae4a01933c41cb4c998572c2a31c971faab5bb2c488aee8d73a16a0037a78e09130e1ecd2804c40f0665399c404c00e

                      Download Submit

                    • C:\Users\Admin\Downloads\release\Release\Discord rat.exe
                      Filesize

                      79KB

                      MD5

                      d13905e018eb965ded2e28ba0ab257b5

                      SHA1

                      6d7fe69566fddc69b33d698591c9a2c70d834858

                      SHA256

                      2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

                      SHA512

                      b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

                      Download Submit

                    • C:\Users\Admin\Downloads\release\builder.exe
                      Filesize

                      10KB

                      MD5

                      4f04f0e1ff050abf6f1696be1e8bb039

                      SHA1

                      bebf3088fff4595bfb53aea6af11741946bbd9ce

                      SHA256

                      ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

                      SHA512

                      94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

                      Download Submit

                    • C:\Users\Admin\Downloads\release\dnlib.dll
                      Filesize

                      1.1MB

                      MD5

                      508ccde8bc7003696f32af7054ca3d97

                      SHA1

                      1f6a0303c5ae5dc95853ec92fd8b979683c3f356

                      SHA256

                      4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a

                      SHA512

                      92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

                      Download Submit

                    • memory/2348-233-0x0000000005090000-0x0000000005122000-memory.dmp

                      Filesize

                      584KB

                      Download

                    • memory/2348-231-0x0000000000690000-0x0000000000698000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2348-232-0x0000000005640000-0x0000000005BE6000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/2348-234-0x0000000005010000-0x000000000501A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2348-242-0x0000000006640000-0x0000000006762000-memory.dmp

                      Filesize

                      1.1MB

                      Download

                    • memory/2556-228-0x000001F0F4B50000-0x000001F0F5078000-memory.dmp

                      Filesize

                      5.2MB

                      Download

                    • memory/2556-227-0x00007FFED8AC0000-0x00007FFED9582000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2556-226-0x000001F0F4300000-0x000001F0F44C2000-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/2556-225-0x000001F0F1C80000-0x000001F0F1C98000-memory.dmp

                      Filesize

                      96KB

                      Download

                    • memory/2556-224-0x00007FFED8AC3000-0x00007FFED8AC5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2556-259-0x00007FFED8AC3000-0x00007FFED8AC5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2556-260-0x00007FFED8AC0000-0x00007FFED9582000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3124-258-0x000001CCAA6F0000-0x000001CCAA708000-memory.dmp

                      Filesize

                      96KB

                      Download