Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Resubmissions

11-06-2024 19:21

240611-x2ytaaycjl 10

11-06-2024 19:20

240611-x17d2ayarf 10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    40907421415227a30c883fd57a7b4fe4

  • SHA1

    912da0188ac70f09a42bd7933702966cd13c3006

  • SHA256

    8fe2c7bdf8198ffe699d528d6f59ac9400b9cbbb239c83652796690637dda4b7

  • SHA512

    7b4bca177fa7029a5c77144e442840e0bccfe85be85cb4b0623c25b08aaa1e090413192ff0183fc313e0ca03f7420d66860dfbed5728802d1ac0206a8f7c9666

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+APIC:5Zv5PDwbjNrmAE+kIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0NzU2MDQxNjM0Nzk1MTEyNA.GtsxfD.DgWuDtTP5_alrH-e1pb51ojdXlaPF6goQ2izm0

  • server_id

    1247937473548648579

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4756
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.0.473266513\452574821" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a155b76-7b6a-458a-818c-e0bf1a6ef9cf} 224 "\\.\pipe\gecko-crash-server-pipe.224" 1852 22103a0ff58 gpu
        3⤵
          PID:2992
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.1.1329227464\1451653353" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {301e4d5e-196f-4af0-8ed5-c6c0ed300564} 224 "\\.\pipe\gecko-crash-server-pipe.224" 2420 22103f79b58 socket
          3⤵
            PID:3164
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.2.229434667\1924265790" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea4eb0b-8dcf-4449-8813-117c6df37808} 224 "\\.\pipe\gecko-crash-server-pipe.224" 2848 2210690bc58 tab
            3⤵
              PID:3332
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.3.1403409763\724762833" -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3672 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7c3666a-ca1d-42b9-b4a0-0d7084b4f872} 224 "\\.\pipe\gecko-crash-server-pipe.224" 3332 22108b69558 tab
              3⤵
                PID:2736
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.4.1886639612\771462532" -childID 3 -isForBrowser -prefsHandle 5260 -prefMapHandle 5256 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db37b1e8-496f-477d-8fd5-280e44f7cf56} 224 "\\.\pipe\gecko-crash-server-pipe.224" 5264 221086fd658 tab
                3⤵
                  PID:5112
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.5.1912792205\1072426679" -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27acec6d-2053-44bc-956b-cbf409264007} 224 "\\.\pipe\gecko-crash-server-pipe.224" 5492 221086fdc58 tab
                  3⤵
                    PID:1436
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.6.1928796574\598267265" -childID 5 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0336f053-6db3-4abb-bd8d-28f3137618cb} 224 "\\.\pipe\gecko-crash-server-pipe.224" 5696 221086feb58 tab
                    3⤵
                      PID:524
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="224.7.1233766120\1153290894" -childID 6 -isForBrowser -prefsHandle 6072 -prefMapHandle 6076 -prefsLen 31087 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d141446-c1e9-410c-97d8-1db0cb0f14e0} 224 "\\.\pipe\gecko-crash-server-pipe.224" 6104 22112d2d658 tab
                      3⤵
                        PID:2408

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    26KB

                    MD5

                    29b181d0093a10971600436f50465c58

                    SHA1

                    ca4983ec2be367e6d04a20c01f5980352e3cb10c

                    SHA256

                    ab46991ce9951706af1d5833beef5b995fe9beb502ababe5528c35311100b7ac

                    SHA512

                    a6ea7849bf0b266ddb2809cd10f4c7f9f287fcec42888ff18092ef633318024a5e14d515fd0e9ce140bf2321e59cb25b4c96018e5fa563bc12b4420727b9e5de

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
                    Filesize

                    13KB

                    MD5

                    3104963ddc0836036ab098769fef19d7

                    SHA1

                    d940ce4ad210d16289901a84ec86cf3ecdd3df9e

                    SHA256

                    9fbb91352a70e38664e6cf56bffabafc9d4183dfaf829ee80a5c5c1de3db7d5d

                    SHA512

                    fd4989ec80c047d5dd78cd23a29b49e07b486d46489d698b955e415af24e2dc6521175925c16ed3790210d7699b8ffdc10a209cd991809f72e1f04f982f9596b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                    Filesize

                    442KB

                    MD5

                    85430baed3398695717b0263807cf97c

                    SHA1

                    fffbee923cea216f50fce5d54219a188a5100f41

                    SHA256

                    a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                    SHA512

                    06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                    Filesize

                    8.0MB

                    MD5

                    a01c5ecd6108350ae23d2cddf0e77c17

                    SHA1

                    c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                    SHA256

                    345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                    SHA512

                    b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                    Filesize

                    997KB

                    MD5

                    fe3355639648c417e8307c6d051e3e37

                    SHA1

                    f54602d4b4778da21bc97c7238fc66aa68c8ee34

                    SHA256

                    1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                    SHA512

                    8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                    Filesize

                    116B

                    MD5

                    3d33cdc0b3d281e67dd52e14435dd04f

                    SHA1

                    4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                    SHA256

                    f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                    SHA512

                    a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                    Filesize

                    479B

                    MD5

                    49ddb419d96dceb9069018535fb2e2fc

                    SHA1

                    62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                    SHA256

                    2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                    SHA512

                    48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                    Filesize

                    372B

                    MD5

                    8be33af717bb1b67fbd61c3f4b807e9e

                    SHA1

                    7cf17656d174d951957ff36810e874a134dd49e0

                    SHA256

                    e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                    SHA512

                    6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                    Filesize

                    11.8MB

                    MD5

                    33bf7b0439480effb9fb212efce87b13

                    SHA1

                    cee50f2745edc6dc291887b6075ca64d716f495a

                    SHA256

                    8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                    SHA512

                    d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                    Filesize

                    1KB

                    MD5

                    688bed3676d2104e7f17ae1cd2c59404

                    SHA1

                    952b2cdf783ac72fcb98338723e9afd38d47ad8e

                    SHA256

                    33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                    SHA512

                    7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                    Filesize

                    1KB

                    MD5

                    937326fead5fd401f6cca9118bd9ade9

                    SHA1

                    4526a57d4ae14ed29b37632c72aef3c408189d91

                    SHA256

                    68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                    SHA512

                    b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    7a457e3fd89fd580cddb041bb518896e

                    SHA1

                    dab9fa72a307208c84d5e39c3c0ca5539af8cd6b

                    SHA256

                    615a1a418721eca43d69243846f789abcb618c160674ebe639eccb7bdbb3f6ab

                    SHA512

                    7a4c934cd8ce79a62294ad3b85c705ac5ac7d4d436115469ca1a76be457049b4ebc1c4f681015b2cdddcf24644851e1d92c7dbd2c6e93f2d5afc647556268f6b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js
                    Filesize

                    10KB

                    MD5

                    b1e3b0cd9919681e2183d35d33c7a831

                    SHA1

                    81bf3c80dfdb5836e4fdfa322f14c00b61b1fec1

                    SHA256

                    bd261120157359524913629a0be0cc9891b286157f516f4c00d9ea8e73fd1bd3

                    SHA512

                    39e28ac87589d4d0f317727a5c233caadfab7f738571a86a49a17074cf336ff6c5ac313f480a06c698b8f61acd15e3ca4d844534719a4a669f2967fea4cfe1f2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    4KB

                    MD5

                    dec33d0367621691a987aeaec83a94f6

                    SHA1

                    f38f0116881bd00f7f5a42f67ee39dbd392f408d

                    SHA256

                    45758efd94a10838da3627ec2add5bec8480dc34bd75a3c62cdc75ab7ae41f19

                    SHA512

                    b83fa378b38a440a8eae7239a3894f9d8961e2d5de124e495857d316f3aedaeb7d23b6bf49c04b203b9cdd2170ce00c97b9df8efa17b74fd7db7cb54c7af7450

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    4KB

                    MD5

                    1a6977cd76ada6e5ebf1c3522857a78c

                    SHA1

                    015b0e1bad3a5b81afb3e11ac470d2c1da44d52a

                    SHA256

                    dce8ce89c4501c6a8c7ea14d1df8fe153a623072d489a7bc9b9c3a0bb42900f4

                    SHA512

                    1cf3e97bc12c396eadaa52ac3ad4f06b7c7a4a9d031438184d04766e5a29c02740cf13d930bf51fb279aae8192ebc6ccca0b6856215bc2acb994f25e068f5529

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    4KB

                    MD5

                    8316e376a2a191dc0b4ca9a0d015d5a5

                    SHA1

                    475812cc6fa57f240f6f3190ec59045fcb98ba0f

                    SHA256

                    f419d69ecf6b7c934a7ebe44bb1da0e8d89251bad319830d0f2d1a9b18af3313

                    SHA512

                    b2480c23d095742e313ba49cf61539425e1f22a0d9f718d758b0e571867309172cafefb098901cc04d9cb1840099d7b8b486aa56ca52c4fe0c627988c600ed6e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    b12b3d365108fc073c1a5f73f63d4f94

                    SHA1

                    0535028797b44f8831c04620620c92fa9810f572

                    SHA256

                    2f691c9ab14fe89573b904ac43a47fb56f60df3728f7af4273a2ad467c2b01fc

                    SHA512

                    da72e72c0744dced78620d092af56f5c09cf5278a712008fac8cc4735d4accacc66db5e6c2a34ee5284b2a840c850006045dd28b38ebb63322a09cf9129836c2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    8d1da30acd654a9bb7ab1f062cba42f1

                    SHA1

                    ac12a23d8c58ccff33967b21638e45d25f4c23fc

                    SHA256

                    267820f91f2b7406659ab8cbbb9437287c116bcd9aad2667720de805c8442b0c

                    SHA512

                    40fcf30b14cea7556059750ba67ea55938e23a3830d972e13b1aeab567d502ce623dd4bd8a6671228fcd0d227e96fc90203a7cc83cb4b4e080e6e241b59b5531

                    Download Submit

                  • memory/4756-5-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/4756-1-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/4756-2-0x000001C3E7B20000-0x000001C3E7CE2000-memory.dmp

                    Filesize

                    1.8MB

                    Download

                  • memory/4756-3-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4756-4-0x000001C3E8320000-0x000001C3E8848000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/4756-0-0x000001C3CD430000-0x000001C3CD448000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/4756-6-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp

                    Filesize

                    10.8MB

                    Download