discordrat | 96b5be62a3f1c6550f243ce18051af2f6e105cb8e5869d1b685df3e6e382e4ca

Resubmissions

23-07-2024 14:26

240723-rscxkaxflf 10

23-07-2024 14:20

240723-rnv8cavbjk 10

23-07-2024 14:13

240723-rjwnbathkm 10

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

5ccc8cb73a3e7f49f02309b8234150f7
SHA1

2e25a1e3c2dea17b8a55794ea410efc20a20ba89
SHA256

96b5be62a3f1c6550f243ce18051af2f6e105cb8e5869d1b685df3e6e382e4ca
SHA512

f5aad017d92ad6611aea1c9751e57a4847de36c8e0e40b461b01d3053b30fb563e6258993836f1d193393b95feee6da440352d073d2e1111c2b96186afaafe31
SSDEEP

1536:Z2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+fBPIC:ZZv5PDwbjNrmAE+fRIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2NTI5NDU0NzA5MzU1MzIwMw.G4XHgH.w73SKG9eGEqZjt7cDrIl25uvvZMMECf3wWXHYA
server_id
1265294099100205107

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2388	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1240	msedge.exe
1240	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2388	vlc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	Client-built.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe
2388	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2388	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 3536	3704	msedge.exe	111
PID 3704 wrote to memory of 3536	3704	msedge.exe	111
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 4408	3704	msedge.exe	112
PID 3704 wrote to memory of 1240	3704	msedge.exe	113
PID 3704 wrote to memory of 1240	3704	msedge.exe	113
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114
PID 3704 wrote to memory of 112	3704	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SelectSplit.wma"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultfd705ccahf500h4e62h8530h7612c0b1f26a
1⤵
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffdef2446f8,0x7ffdef244708,0x7ffdef244718
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,2427336897548205597,16271932580030953418,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,2427336897548205597,16271932580030953418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,2427336897548205597,16271932580030953418,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a5827a50d235ee928cb810b504ee85c0

SHA1
38a3585baf94c53df6756962a656332d4764ba92

SHA256
57c8778429f4fa317e30045f574f045bf96f246e9a4a91025ce10e0fc49a31c4

SHA512
a212fd07aba49348760958a9a828005ea453df489fb85600d11d0a498de08df1ef38dbdca5ffd46c3137d746aa709f142d85d33b1091aba0976435b65946c1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ac27de3fc8de445045fcfb8dfe20063c

SHA1
8be369ad3300a4f35721e73825b3e49e9ab4aefc

SHA256
9322b9cc16cd932a1aebc1bd6e4be635e800df1261c9a76c5240471c7265357e

SHA512
bd3efbb64d6dca7357b1b9cb9e7495dd385374138fd871e372b5b6291b778c50f146c8647e81ea45732accf6c51224ee4332764020680be3de7c32e5789bc36a

Download Submit
memory/2388-15-0x00007FFDF6ED0000-0x00007FFDF7186000-memory.dmp

Filesize
2.7MB

Download
memory/2388-25-0x00007FFDF92C0000-0x00007FFDF9301000-memory.dmp

Filesize
260KB

Download
memory/2388-14-0x00007FFE04D20000-0x00007FFE04D54000-memory.dmp

Filesize
208KB

Download
memory/2388-13-0x00007FF73F0E0000-0x00007FF73F1D8000-memory.dmp

Filesize
992KB

Download
memory/2388-16-0x00007FFE11760000-0x00007FFE11778000-memory.dmp

Filesize
96KB

Download
memory/2388-22-0x00007FFDFACD0000-0x00007FFDFACE1000-memory.dmp

Filesize
68KB

Download
memory/2388-21-0x00007FFDFAEB0000-0x00007FFDFAECD000-memory.dmp

Filesize
116KB

Download
memory/2388-20-0x00007FFDFAED0000-0x00007FFDFAEE1000-memory.dmp

Filesize
68KB

Download
memory/2388-17-0x00007FFE0CDA0000-0x00007FFE0CDB7000-memory.dmp

Filesize
92KB

Download
memory/2388-18-0x00007FFDFFA50000-0x00007FFDFFA61000-memory.dmp

Filesize
68KB

Download
memory/2388-43-0x00007FFDF3AA0000-0x00007FFDF4B50000-memory.dmp

Filesize
16.7MB

Download
memory/2388-23-0x00007FFDF6CC0000-0x00007FFDF6ECB000-memory.dmp

Filesize
2.0MB

Download
memory/2388-19-0x00007FFDFFA30000-0x00007FFDFFA47000-memory.dmp

Filesize
92KB

Download
memory/2388-24-0x00007FFDF3AA0000-0x00007FFDF4B50000-memory.dmp

Filesize
16.7MB

Download
memory/2388-31-0x00007FFDF74C0000-0x00007FFDF74D1000-memory.dmp

Filesize
68KB

Download
memory/2388-30-0x00007FFDF81D0000-0x00007FFDF81E1000-memory.dmp

Filesize
68KB

Download
memory/2388-29-0x00007FFDF81F0000-0x00007FFDF8201000-memory.dmp

Filesize
68KB

Download
memory/2388-28-0x00007FFDF92A0000-0x00007FFDF92B1000-memory.dmp

Filesize
68KB

Download
memory/2388-27-0x00007FFDFA8D0000-0x00007FFDFA8E8000-memory.dmp

Filesize
96KB

Download
memory/2388-26-0x00007FFDFACA0000-0x00007FFDFACC1000-memory.dmp

Filesize
132KB

Download
memory/3668-5-0x00007FFDFE7C0000-0x00007FFDFF281000-memory.dmp

Filesize
10.8MB

Download
memory/3668-1-0x000001D269E40000-0x000001D269E58000-memory.dmp

Filesize
96KB

Download
memory/3668-4-0x000001D26CDF0000-0x000001D26D318000-memory.dmp

Filesize
5.2MB

Download
memory/3668-3-0x00007FFDFE7C0000-0x00007FFDFF281000-memory.dmp

Filesize
10.8MB

Download
memory/3668-2-0x000001D26C4F0000-0x000001D26C6B2000-memory.dmp

Filesize
1.8MB

Download
memory/3668-0-0x00007FFDFE7C3000-0x00007FFDFE7C5000-memory.dmp

Filesize
8KB

Download