Overview

overview

10

Static

static

10

Client-built.exe

windows11-21h2-x64

10

Resubmissions

22-07-2024 18:50

240722-xhabkssbmb 10

22-07-2024 18:44

240722-xdxlbasdnk 10

22-07-2024 18:41

240722-xbzb5a1gjg 10

22-07-2024 18:38

240722-xaew4asbll 10

Analysis

  • max time kernel
    97s
  • max time network
    127s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-07-2024 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    5d124e382b6e75350e290f2ca92dcd8f

  • SHA1

    1453d068d2d1a5c02696f82c148c91d749c99e68

  • SHA256

    0cdf3658260f5e4abb0cc840fb3038d189015d07d9e82f5301a4410fd739e4b9

  • SHA512

    41f012b71fa8543fb91a2f30c96defa0d614b917de5b9abed85eb3f11a6643b7c3038574887e399e609f0308b8442a77c07bfae1d442e0810e26a05d5c2c846f

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+4PIC:5Zv5PDwbjNrmAE+cIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI2NTAxMTgwMzUyMDI0MTgyNg.Gixgjj.XDPqCHG2EZuhXeegiOPwvU_Lk4mudkLkpJ6VOU

  • server_id

    1265010770744443021

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4616
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    6eb9e667030a3414a9dd177950bff298

    SHA1

    b8b9a6b672bf720efdebd893c1be6056231e87d3

    SHA256

    5ea4f46bf6ba39af1e5c39796acef76712d354fab1d190cb2424cd63331566da

    SHA512

    4ba41fbd6202554c12351ccd1acfdf1f49e0a546fc2677e91fa20be8998615d4c41c0b841bc97b7b03f9ec5ecd61a261136539ff5121f839030509a69228b779

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    aa1db56ffcb4b44e29bae43c70e6f3c6

    SHA1

    f057d9514a4da16a42028bb1ab1da42000ac2059

    SHA256

    b4d4b3bde87559d205c05d5d8d3b79940972bc823a9e40464d7e76e38348b175

    SHA512

    9ade68a2e0c2184c7ba4d68fa1eef20f809119bf7ed46bb81ef6209c2d9ae874c5c3dd9533eeac43c6fd5ffcedd1d601dd5b91bef824f22fdd956b9cb96920c9

    Download Submit

  • memory/4616-0-0x00000246876F0000-0x0000024687708000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4616-1-0x00007FFCC4D13000-0x00007FFCC4D15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4616-2-0x00000246A1EC0000-0x00000246A2082000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4616-3-0x00007FFCC4D10000-0x00007FFCC57D2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4616-4-0x00000246A3220000-0x00000246A3748000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4616-5-0x00007FFCC4D10000-0x00007FFCC57D2000-memory.dmp

    Filesize

    10.8MB

    Download