Overview

overview

10

Static

static

10

release/Builder.exe

windows10-2004-x64

8

release/Re...at.exe

windows10-2004-x64

10

release/dnlib.dll

windows10-2004-x64

1

Resubmissions

08-07-2024 14:42

240708-r28qlawfpe 10

18-06-2024 22:36

240618-2jdslsselj 10

18-06-2024 22:35

240618-2hrm3ssejm 10

Analysis

  • max time kernel
    193s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    release/Release/Discord rat.exe

  • Size

    79KB

  • MD5

    d13905e018eb965ded2e28ba0ab257b5

  • SHA1

    6d7fe69566fddc69b33d698591c9a2c70d834858

  • SHA256

    2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

  • SHA512

    b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

  • SSDEEP

    1536:YCH0jBD2BKkwbPNrfxCXhRoKV6+V+y9viwp:VUjBD2BPwbPNrmAE+MqU

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe
    "C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3784
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3880
    • C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe
      "C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4828
    • C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe
      "C:\Users\Admin\AppData\Local\Temp\release\Release\Discord rat.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Users\Admin\Desktop\Discord rat.exe
        "C:\Users\Admin\Desktop\Discord rat.exe" -h
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:212
      • C:\Users\Admin\Desktop\dr.exe
        "C:\Users\Admin\Desktop\dr.exe" -h
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3588
      • C:\Users\Admin\Desktop\dr.exe
        "C:\Users\Admin\Desktop\dr.exe" --help
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:772
      • C:\Users\Admin\Desktop\dr.exe
        "C:\Users\Admin\Desktop\dr.exe" -help
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2192
      • C:\Users\Admin\Desktop\dr.exe
        "C:\Users\Admin\Desktop\dr.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3824

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d5fvyax3.g53.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • memory/2932-13-0x000001504A670000-0x000001504A692000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2932-25-0x0000015062FF0000-0x000001506300E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2932-24-0x0000015063030000-0x00000150630A6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2932-23-0x0000015062F60000-0x0000015062FA4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/3784-4-0x0000019AED750000-0x0000019AEDC78000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3784-6-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3784-5-0x00007FFCFCF03000-0x00007FFCFCF05000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3784-1-0x0000019AD2770000-0x0000019AD2788000-memory.dmp
      Filesize

      96KB

      Download
    • memory/3784-3-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3784-2-0x0000019AECE70000-0x0000019AED032000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3784-0-0x00007FFCFCF03000-0x00007FFCFCF05000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4828-7-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4828-8-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4828-9-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4828-10-0x00007FFCFCF00000-0x00007FFCFD9C1000-memory.dmp
      Filesize

      10.8MB

      Download