Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    ea317a58cc47d7347c92c750da8cc10d

  • SHA1

    ab62932e5768b1eab5ea1e41f3aea5809b7995a0

  • SHA256

    2d72420e834f944d6501f8b0ae39224dc69447472eb753a350c94738a4c26171

  • SHA512

    ee2c7b05709becf6a54e48abede029bc1c16a8c02448ba39ea909120a3d81e752c3ebec002b5dd63296cb933896a0a8a8c70aff07cdad18604f7ec45f8cde096

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+mPIC:5Zv5PDwbjNrmAE+CIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1MDI0ODQyMTI3MzUwNTg4NQ.GB_zxT.4UDWQJBV48smDnwVFo4cRRfYljfhpM92UCYlhY

  • server_id

    1250001300171653150

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4808
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4884
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
    Filesize

    64KB

    MD5

    d2fb266b97caff2086bf0fa74eddb6b2

    SHA1

    2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

    SHA256

    b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

    SHA512

    c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

    Download Submit
  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
    Filesize

    4B

    MD5

    f49655f856acb8884cc0ace29216f511

    SHA1

    cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

    SHA256

    7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

    SHA512

    599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

    Download Submit
  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
    Filesize

    944B

    MD5

    6bd369f7c74a28194c991ed1404da30f

    SHA1

    0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

    SHA256

    878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

    SHA512

    8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

    Download Submit
  • memory/4808-1-0x00007FFFBA0D3000-0x00007FFFBA0D5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4808-2-0x000001ABCA820000-0x000001ABCA9E2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4808-3-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4808-4-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4808-0-0x000001ABB0220000-0x000001ABB0238000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4884-6-0x000002B01D3D0000-0x000002B01D3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4884-7-0x000002B01D3D0000-0x000002B01D3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4884-16-0x000002B01D3D0000-0x000002B01D3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4884-15-0x000002B01D3D0000-0x000002B01D3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4884-14-0x000002B01D3D0000-0x000002B01D3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4884-13-0x000002B01D3D0000-0x000002B01D3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4884-12-0x000002B01D3D0000-0x000002B01D3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4884-5-0x000002B01D3D0000-0x000002B01D3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4884-11-0x000002B01D3D0000-0x000002B01D3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4884-17-0x000002B01D3D0000-0x000002B01D3D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4984-19-0x00000231BA600000-0x00000231BA601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4984-20-0x00000231BA600000-0x00000231BA601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4984-18-0x00000231BA600000-0x00000231BA601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4984-30-0x00000231BA600000-0x00000231BA601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4984-29-0x00000231BA600000-0x00000231BA601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4984-28-0x00000231BA600000-0x00000231BA601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4984-27-0x00000231BA600000-0x00000231BA601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4984-26-0x00000231BA600000-0x00000231BA601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4984-25-0x00000231BA600000-0x00000231BA601000-memory.dmp
    Filesize

    4KB

    Download