discordrat | ddbdfe227d8394d50c28c4b02c39033c4d5d1962fbd1342a5ca5f236e9671619

Analysis

max time kernel
67s
max time network
70s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-08-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

7d921a8a96e652d5264847bf6645f61c
SHA1

0ef41f617e00919d102098a7c82750f6e90d9b80
SHA256

ddbdfe227d8394d50c28c4b02c39033c4d5d1962fbd1342a5ca5f236e9671619
SHA512

ac86edaf87b61f0f5b6bf3dc2a70150b43a3e5a758ee4e45162c27491b0ba02f01203446af87666d7c2346169e5445e88027cffd8fcfa64543730078d8c7aed0
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+FPIC:5Zv5PDwbjNrmAE+VIC

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3MzA1MTEwNzEyMzI2OTczNQ.G7UQQo.CWRWd5HJJ8bVumSGiyWc2pDdjavw4VinikkJMg
server_id
1273454211354464348

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
8	discord.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1080	chrome.exe
1080	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	Client-built.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe
Token: SeShutdownPrivilege	1080	chrome.exe
Token: SeCreatePagefilePrivilege	1080	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe
1080	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1240	1080	chrome.exe	86
PID 1080 wrote to memory of 1240	1080	chrome.exe	86
PID 3356 wrote to memory of 2740	3356	chrome.exe	88
PID 3356 wrote to memory of 2740	3356	chrome.exe	88
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 4404	1080	chrome.exe	89
PID 1080 wrote to memory of 2464	1080	chrome.exe	90
PID 1080 wrote to memory of 2464	1080	chrome.exe	90
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91
PID 1080 wrote to memory of 8	1080	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9b91cc40,0x7fff9b91cc4c,0x7fff9b91cc58
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,12230971965520645113,17081703286040229457,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,12230971965520645113,17081703286040229457,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,12230971965520645113,17081703286040229457,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2160 /prefetch:8
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,12230971965520645113,17081703286040229457,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,12230971965520645113,17081703286040229457,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,12230971965520645113,17081703286040229457,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4324,i,12230971965520645113,17081703286040229457,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9b91cc40,0x7fff9b91cc4c,0x7fff9b91cc58
  2⤵
  PID:2740

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
f7ade43dd0f2b39855de94f079d712c8

SHA1
2b7078487d6103bccb92059c0613ffe0006e3fe9

SHA256
f235e48b4358d99b1561635b6ef09503efa3b6e3210786cb0d944652f12dccaf

SHA512
5e416b10ee785f2e378ecf1f1196328b56d70764e841a68119ea592d5205dddcf0be9cb9f52e80489bc8ac620ac32d479d07e2f7f234550f9ff7a43f0ce7d3ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
d6e75cf01ca0c1074524520bdab1e72b

SHA1
f723fdfe048e6686f20dfce8d8208157012d3a4a

SHA256
34ca6f228f280fc56cbc4722f9a890c505d2fdd1128642f1b649b411eeb788c5

SHA512
447669ffe3df88971c77faa4e1158b845a0e990b9e0e4d85ce103c70b6dff2acdd791788d47841cd7ae7fb723b21478b01b9e5e627e2d8881aefcacaee8a2aef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8a7a537922fdafbf6690b1bf5368252c

SHA1
23e5d47c3adef0191691c468d55df0476c397e9e

SHA256
ace493863f841ef7036a755ed332a6da08002ab26ee1760de71e4126220f0133

SHA512
5da125490b0d229fcaa301b1bdd6a5d445f16a0383b1f76cd3c1f2ce089c6a13df2d9b29cc911e99bfd385902ad5658a2eb61b2d94d8f877ccbe83821d123bdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4e9f95971cafa4795de0fe3362813451

SHA1
8853a120a5df9d7cfe8e83d76c68b2fa624e31f0

SHA256
94c04ee2ab252f5ee08b92b1e51c3f0664d3dbf3849d875a80c79f5a2a8ac907

SHA512
e3f078d51e47e592dfef02a20e5615ff4a74f749da6833465270a7843ef20af7593f4627866e8c33c1a9939b1fb21fd14bff20deacfbd53376505a94b991e6fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2944a7a60939ec2a433557cf97b76a9

SHA1
00432c2da3c02c48f76875aa413a52d1b5cefa4d

SHA256
82c2f799768b004543e9f1a2105620aab9144ea756874f5f090d1ed65d36e0ec

SHA512
e9537a21129755be91fb61be147e4fc0565b8fd8781a9be5e8a5684fb4bc4723025df44d10c06abb7a1c154d0571695b2b589d5de7866395d658c868c0c174b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
a6e5886ac4e110cfea3aa4a7f8bde3f2

SHA1
0e0be414a79e0fd9a86be15fc09def46314f8139

SHA256
41d056560981a6509b57632c0d5604b6ef9f7159d4fd9a29a320250ee5199de7

SHA512
36ce0c280463f658bbb4a4bb91c06b24f10f45ab0a1901b49cb32f9b0b63ac0d7da7be485d934eddc5354af96650d36d611ca1eab47f1dce96df947fcff0f9e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/4360-5-0x00007FFF89A30000-0x00007FFF8A4F2000-memory.dmp

Filesize
10.8MB

Download
memory/4360-4-0x00000222B9A10000-0x00000222B9F38000-memory.dmp

Filesize
5.2MB

Download
memory/4360-3-0x00007FFF89A30000-0x00007FFF8A4F2000-memory.dmp

Filesize
10.8MB

Download
memory/4360-0-0x000002229DF70000-0x000002229DF88000-memory.dmp

Filesize
96KB

Download
memory/4360-2-0x00000222B8640000-0x00000222B8802000-memory.dmp

Filesize
1.8MB

Download
memory/4360-1-0x00007FFF89A33000-0x00007FFF89A35000-memory.dmp

Filesize
8KB

Download