Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-07-2024 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    c2efae565750c5e4840301c5cec67460

  • SHA1

    ea1499fac62658c92b770423e934063d4a2a9f78

  • SHA256

    9756ee53e23f0d4b0b99395167020ee817d255c686b5643aee5540a274e7d6e6

  • SHA512

    236b0273e0c7310d8a88068559a074793b7a3f1e7497b69a78674030cb4a021d22e2a02147a5f678a440a16f98c96bd2bc57ce69284f1e37ae05b530805f16ee

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIzODk5NzI3ODYzMTM5NTM3OQ.Gn6NJ3.UNQS-_aC6k865Ijqu9IYLq9yL7LUhlTZGAmiu8

  • server_id

    1259016982901293077

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1940
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1940-0-0x0000020099F60000-0x0000020099F78000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1940-1-0x00000200B4510000-0x00000200B46D2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1940-2-0x00007FFE550B0000-0x00007FFE55379000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1940-3-0x00007FFE550B0000-0x00007FFE55379000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1940-4-0x00000200B4E50000-0x00000200B5378000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1940-5-0x00007FFE550B0000-0x00007FFE55379000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1996-6-0x000001F965930000-0x000001F965931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-7-0x000001F965930000-0x000001F965931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-8-0x000001F965930000-0x000001F965931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-13-0x000001F965930000-0x000001F965931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-18-0x000001F965930000-0x000001F965931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-17-0x000001F965930000-0x000001F965931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-16-0x000001F965930000-0x000001F965931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-15-0x000001F965930000-0x000001F965931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-14-0x000001F965930000-0x000001F965931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-12-0x000001F965930000-0x000001F965931000-memory.dmp
    Filesize

    4KB

    Download