Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    8156ccc10bc5c1f7ba69b450863f80b6

  • SHA1

    93d4dc689026e4ae3f90436b4761d3cf5e5e9ac8

  • SHA256

    3df56b170bc3939db11caf42589764b2fc4665378bf3167680a32ae09fc4928b

  • SHA512

    9ea925180774e406a6ef514e61950b1361fb917b47810f6b13c0330cb8167a62060b74dfc64206daeec8ac00dff3cdbdd55cebdc6ba14bb8e11d715e67665004

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+yPIC:5Zv5PDwbjNrmAE++IC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI3MzYxMjMzOTIzMjM3NDgxNQ.GQcb7R.nEBZJ0-xqAtaQmaz1po2HsTsPCGl9hphGbXGvo

  • server_id

    1273612222693642371

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3516
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k UnistackSvcGroup
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4612
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3100
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
      Filesize

      16KB

      MD5

      c712ca1d2f714b97b0c33fdd76da562c

      SHA1

      f6dae5e4ba9eef6ca5c778f596db611659d2d57c

      SHA256

      f13f73a7b65bc068cdfe35d222b782b8606b857dd6796216a0081141bc65dcf0

      SHA512

      f874f9bda5dbb481f9175c164bef34b4eb9575f604ba9b164ed25a14be982c19e487d535fb4495da70e7d5eb42ca118339fc69055cf8277ca7f6c13d15c4725d

      Download Submit

    • memory/3100-77-0x0000025422750000-0x0000025422751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3100-84-0x0000025422750000-0x0000025422751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3100-75-0x0000025422750000-0x0000025422751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3100-76-0x0000025422750000-0x0000025422751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3100-86-0x0000025422750000-0x0000025422751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3100-83-0x0000025422750000-0x0000025422751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3100-81-0x0000025422750000-0x0000025422751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3100-85-0x0000025422750000-0x0000025422751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3100-82-0x0000025422750000-0x0000025422751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3100-87-0x0000025422750000-0x0000025422751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3516-2-0x0000023D3F830000-0x0000023D3F9F2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3516-1-0x0000023D251C0000-0x0000023D251D8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3516-4-0x0000023D40030000-0x0000023D40558000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3516-3-0x00007FFCD1980000-0x00007FFCD2441000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3516-74-0x00007FFCD1980000-0x00007FFCD2441000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3516-0-0x00007FFCD1983000-0x00007FFCD1985000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4612-48-0x0000025CD17A0000-0x0000025CD17A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-45-0x0000025CD1B80000-0x0000025CD1B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-49-0x0000025CD1790000-0x0000025CD1791000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-51-0x0000025CD17A0000-0x0000025CD17A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-54-0x0000025CD1790000-0x0000025CD1791000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-57-0x0000025CD16D0000-0x0000025CD16D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-46-0x0000025CD1B80000-0x0000025CD1B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-69-0x0000025CD18D0000-0x0000025CD18D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-71-0x0000025CD18E0000-0x0000025CD18E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-72-0x0000025CD18E0000-0x0000025CD18E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-73-0x0000025CD19F0000-0x0000025CD19F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-47-0x0000025CD1B80000-0x0000025CD1B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-44-0x0000025CD1B80000-0x0000025CD1B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-43-0x0000025CD1B80000-0x0000025CD1B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-42-0x0000025CD1B80000-0x0000025CD1B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-41-0x0000025CD1B80000-0x0000025CD1B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-40-0x0000025CD1B80000-0x0000025CD1B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-39-0x0000025CD1B80000-0x0000025CD1B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-38-0x0000025CD1B80000-0x0000025CD1B81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-37-0x0000025CD1B50000-0x0000025CD1B51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-5-0x0000025CC9460000-0x0000025CC9470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4612-21-0x0000025CC9560000-0x0000025CC9570000-memory.dmp

      Filesize

      64KB

      Download