discordrat | 85a287edb6eeb66eeada945ff71c946a76171be92244071c07d0ac5553d96cf2

Resubmissions

28-06-2024 20:12

240628-yzbfms1blg 10

28-06-2024 20:10

240628-yxrpvatenl 10

28-06-2024 20:02

240628-yr991atdlp 10

Analysis

max time kernel
103s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
28-06-2024 20:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

c053ebb3f0f90a7705729579d25dd194
SHA1

fe045f0584ee3656af1e89a6ca37ef68e7f252a3
SHA256

85a287edb6eeb66eeada945ff71c946a76171be92244071c07d0ac5553d96cf2
SHA512

a5beac0ec0b1ecad655f52555ff83d756169335be383bd2dd4310b4e9d2120fb939ed42116554ae1544ed9db56a3846d6ca0369d2af0430a8d7c3717e2223854
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+nPIC:5Zv5PDwbjNrmAE+PIC

Score

10^/10

discordrat evasion persistence privilege_escalation rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NzYzMjcxMjk1Nzk1NjE4Nw.G3MXNZ.B896PWyca43CGShZp7WvFVoaKLYOSP1no8IyaM
server_id
1247637478639271976

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4588	NetSh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	discord.com
12	discord.com
13	discord.com
1	discord.com
6	discord.com
7	raw.githubusercontent.com
8	discord.com
9	discord.com
14	discord.com
16	discord.com
1	raw.githubusercontent.com
4	discord.com

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	Client-built.exe
Token: SeShutdownPrivilege	2544	Client-built.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4676	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4588	2544	Client-built.exe	80
PID 2544 wrote to memory of 4588	2544	Client-built.exe	80

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SYSTEM32\NetSh.exe
  "NetSh.exe" Advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4588

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
cd56e155edf53e5728c46b6c9eb9c413

SHA1
14b1b0f090803c9ee39797aed4af13dc7849566d

SHA256
70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a

SHA512
a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165

Download Submit
memory/2544-0-0x00007FFD8D1F3000-0x00007FFD8D1F5000-memory.dmp

Filesize
8KB

Download
memory/2544-1-0x000001EA46310000-0x000001EA46328000-memory.dmp

Filesize
96KB

Download
memory/2544-2-0x000001EA60990000-0x000001EA60B52000-memory.dmp

Filesize
1.8MB

Download
memory/2544-3-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp

Filesize
10.8MB

Download
memory/2544-4-0x000001EA61D60000-0x000001EA62288000-memory.dmp

Filesize
5.2MB

Download
memory/2544-5-0x000001EA61830000-0x000001EA61AFA000-memory.dmp

Filesize
2.8MB

Download
memory/2544-6-0x00007FFD8D1F3000-0x00007FFD8D1F5000-memory.dmp

Filesize
8KB

Download
memory/2544-7-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp

Filesize
10.8MB

Download
memory/2544-15-0x000001EA607C0000-0x000001EA607CE000-memory.dmp

Filesize
56KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads