Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\Wave.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4488 wrote to memory of 392	N/A	C:\Users\Admin\AppData\Local\Temp\Wave.exe	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
PID 4488 wrote to memory of 392	N/A	C:\Users\Admin\AppData\Local\Temp\Wave.exe	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	0.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	144.107.17.2.in-addr.arpa	udp
NL	23.62.61.97:443	www.bing.com	tcp
US	8.8.8.8:53	97.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	gateway.discord.gg	udp
US	162.159.136.234:443	gateway.discord.gg	tcp
US	8.8.8.8:53	234.136.159.162.in-addr.arpa	udp
US	8.8.8.8:53	discord.com	udp
US	162.159.135.232:443	discord.com	tcp
US	8.8.8.8:53	232.135.159.162.in-addr.arpa	udp
US	8.8.8.8:53	geolocation-db.com	udp
DE	159.89.102.253:443	geolocation-db.com	tcp
US	8.8.8.8:53	253.102.89.159.in-addr.arpa	udp
US	162.159.135.232:443	discord.com	tcp
US	8.8.8.8:53	58.55.71.13.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

MD5	c2207566970ad0379a62da59e3c4caff
SHA1	59759d884744c5c025fe800a0b86b63555f7bfe9
SHA256	61247d55a049a1a16833a6be90b50ceef20340db7b31181b07d95cbc345dd1ba
SHA512	2b6a2684c1a5db78fc1080c26b7263bb5c04eb760d142369cd4d987b35ff9fd76092fe3ceae0633f26f98a12b4d1b5b4aca7071a7022d22d264237dbf1a488bc

memory/392-12-0x0000020634A70000-0x0000020634A88000-memory.dmp

memory/392-13-0x00007FFE36403000-0x00007FFE36405000-memory.dmp

memory/392-14-0x000002064F0E0000-0x000002064F2A2000-memory.dmp

memory/392-15-0x00007FFE36400000-0x00007FFE36EC1000-memory.dmp

memory/392-16-0x000002064F9D0000-0x000002064FEF8000-memory.dmp

memory/392-17-0x00007FFE36403000-0x00007FFE36405000-memory.dmp

memory/392-18-0x00007FFE36400000-0x00007FFE36EC1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 04:53

Reported

2024-06-23 05:26

Platform

win11-20240508-en

Max time kernel

1778s

Max time network

1787s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe	N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1784 wrote to memory of 4068	N/A	C:\Users\Admin\AppData\Local\Temp\Wave.exe	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
PID 1784 wrote to memory of 4068	N/A	C:\Users\Admin\AppData\Local\Temp\Wave.exe	C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	gateway.discord.gg	udp
US	52.111.229.19:443		tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

MD5	c2207566970ad0379a62da59e3c4caff
SHA1	59759d884744c5c025fe800a0b86b63555f7bfe9
SHA256	61247d55a049a1a16833a6be90b50ceef20340db7b31181b07d95cbc345dd1ba
SHA512	2b6a2684c1a5db78fc1080c26b7263bb5c04eb760d142369cd4d987b35ff9fd76092fe3ceae0633f26f98a12b4d1b5b4aca7071a7022d22d264237dbf1a488bc

memory/4068-12-0x00007FFD03473000-0x00007FFD03475000-memory.dmp

memory/4068-13-0x000002ACB2DE0000-0x000002ACB2DF8000-memory.dmp

memory/4068-14-0x000002ACCD560000-0x000002ACCD722000-memory.dmp

memory/4068-15-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

memory/4068-16-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

Sample ID	240623-fjffjs1ajb
Target	Wave.exe
SHA256	134bc640e8cc14d6c30f91407a8c812a63319072343bbf8a6bc2aaf3a902d44b
Tags	discordrat persistence rat rootkit stealer

Malware Analysis Report

2024-09-11 09:07

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files