Overview

overview

10

Static

static

10

rblx hacks...lt.exe

windows7-x64

10

rblx hacks...lt.exe

windows10-2004-x64

10

rblx hacks...ib.dll

windows7-x64

1

rblx hacks...ib.dll

windows10-2004-x64

1

Resubmissions

11-06-2024 20:55

240611-zqvzcs1epj 10

11-06-2024 20:51

240611-zne55a1emh 10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rblx hacks REAL/Client-built.exe

  • Size

    78KB

  • MD5

    456bf5de813e40ca39898ca6ba16b1d7

  • SHA1

    4b668377e4f81802f5a975739a2799d140e04d55

  • SHA256

    9ea8612ee8a4e2599a73e99cee7afd8be19faedd655ff2f54b1f06e486021135

  • SHA512

    7f3747235a0f48c774ad084207f43201dfdac9bc3bfd340f645cd7c13b61a853e01227756d1f9f154f5f541914c316b86fcbe1ab9a130aee117f17daab9b3191

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+nPIC:5Zv5PDwbjNrmAE+PIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0OTU3NzU3NDA5MTE5NDQxOQ.GsOG5Z.ZZXzRiXjjatxWtgj6vEvWrUD7fTQVKec_XOUKg

  • server_id

    1177034497322127390

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rblx hacks REAL\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\rblx hacks REAL\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:436
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffda493ab58,0x7ffda493ab68,0x7ffda493ab78
      2⤵
        PID:1260
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:2
        2⤵
          PID:2628
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:8
          2⤵
            PID:2016
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:8
            2⤵
              PID:3932
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:1
              2⤵
                PID:4476
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:1
                2⤵
                  PID:4976
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3976 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:1
                  2⤵
                    PID:740
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4368 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:8
                    2⤵
                      PID:4680
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:8
                      2⤵
                        PID:1440
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:8
                        2⤵
                          PID:4292
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:8
                          2⤵
                            PID:2648
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1936,i,10594060079711693086,15434461820370029355,131072 /prefetch:8
                            2⤵
                              PID:3096
                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                            1⤵
                              PID:364
                            • C:\Windows\system32\taskmgr.exe
                              "C:\Windows\system32\taskmgr.exe" /7
                              1⤵
                              • Checks SCSI registry key(s)
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:3256

                            Network

                            MITRE ATT&CK Matrix ATT&CK v13

                            Initial Access

                            Execution

                            Persistence

                            Privilege Escalation

                            Defense Evasion

                            Credential Access

                            Discovery

                            Query Registry

                            2
                            T1012

                            Peripheral Device Discovery

                            1
                            T1120

                            System Information Discovery

                            2
                            T1082

                            Lateral Movement

                            Collection

                            Exfiltration

                            Command and Control

                            Impact

                            Resource Development

                            Reconnaissance

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                              Filesize

                              1KB

                              MD5

                              050f6531f2992d10e057ebde5d077283

                              SHA1

                              8a0f26cc4bd96646fc4ec29a76bab6ad6a0234e1

                              SHA256

                              6e614ce295557af8c66d1a4087ac7b3a57a3554768f79caf2b9092c146249440

                              SHA512

                              b0967c26552babb3999241281a97fdc70d7709550c1f9a9a49916a98969895dadd8728978dae79b9ad71f3d3a27170da6b8d0b7970ebb26fdaff7acc71432386

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                              Filesize

                              356B

                              MD5

                              749b5e9d96ab1cf2b5bab6c5340bbc92

                              SHA1

                              c782c7716d6bfadd1fab5fbd1ac8e3a46b1f5eb8

                              SHA256

                              bf9a6199355096281276afac376ad95c4adaccd3f905e3251b640331f5ed831a

                              SHA512

                              ec6355f921eea4a8506907ac068f594a368831c63bf95ee358ef569a09715838dd63817260afb43f43467209f747461cfa6b46eecf6acbfa238087a2704994eb

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              884f5c242ea4d93c4d353de188105e7f

                              SHA1

                              ab7bd373428db119f0a8342febd0100335bee078

                              SHA256

                              b2546d33818b6e420172e5cf1a5ed2644cea2c2077ca83dcf315391e11533a86

                              SHA512

                              a71b7b2cded96427b612e1cac20b363116f5a616fbda7e395aebdc44bf8c9869a4488c926ed9ce71963c4c27222ad92967192c33db986d828d2e15608096d181

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                              Filesize

                              138KB

                              MD5

                              6e12d8224f3ec5f1393eaf6ad55a7458

                              SHA1

                              146f015c262fdec2e4168049d7131e9e1f36cd46

                              SHA256

                              c747d63b952ab9f432a8370407e8c92e4f53da6f0c4299c3b0a1ce9d8931ad4b

                              SHA512

                              73081f22dee423428ff37c0d7a01fe3adca788f82ce2fae0d843cf6d7f13326cc180e05142aa0f0ca15c275072cb232255479217d70044fbc693633101b7fd83

                              Download Submit
                            • \??\pipe\crashpad_2548_VDFYEIUWOLYXSWTE
                              MD5

                              d41d8cd98f00b204e9800998ecf8427e

                              SHA1

                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                              SHA256

                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                              SHA512

                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              Download Submit
                            • memory/436-5-0x00007FFDA9780000-0x00007FFDAA241000-memory.dmp
                              Filesize

                              10.8MB

                              Download
                            • memory/436-0-0x00007FFDA9783000-0x00007FFDA9785000-memory.dmp
                              Filesize

                              8KB

                              Download
                            • memory/436-4-0x00000170D6280000-0x00000170D67A8000-memory.dmp
                              Filesize

                              5.2MB

                              Download
                            • memory/436-3-0x00007FFDA9780000-0x00007FFDAA241000-memory.dmp
                              Filesize

                              10.8MB

                              Download
                            • memory/436-2-0x00000170D5940000-0x00000170D5B02000-memory.dmp
                              Filesize

                              1.8MB

                              Download
                            • memory/436-1-0x00000170BB2E0000-0x00000170BB2F8000-memory.dmp
                              Filesize

                              96KB

                              Download
                            • memory/3256-72-0x000001E30FC90000-0x000001E30FC91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3256-71-0x000001E30FC90000-0x000001E30FC91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3256-82-0x000001E30FC90000-0x000001E30FC91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3256-81-0x000001E30FC90000-0x000001E30FC91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3256-80-0x000001E30FC90000-0x000001E30FC91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3256-79-0x000001E30FC90000-0x000001E30FC91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3256-78-0x000001E30FC90000-0x000001E30FC91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3256-77-0x000001E30FC90000-0x000001E30FC91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3256-76-0x000001E30FC90000-0x000001E30FC91000-memory.dmp
                              Filesize

                              4KB

                              Download
                            • memory/3256-70-0x000001E30FC90000-0x000001E30FC91000-memory.dmp
                              Filesize

                              4KB

                              Download