Overview

overview

10

Static

static

10

Client-built.exe

windows10-2004-x64

10

Resubmissions

03-09-2024 14:42

240903-r2zgxs1bpc 10

03-09-2024 14:38

240903-rzvqyszarr 10

Analysis

  • max time kernel
    299s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2024 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    51fb0b8fd09f1011e3e049c86d08c94a

  • SHA1

    4fb4616ad94fccb2aa2991520d32f19b3b72a59f

  • SHA256

    408f0f6aeea0e955ae90664a025a53943c15387d7543c2071233c55837406dd5

  • SHA512

    1f71e4300c5afc50e2c859bde953da25ff3490680fee81c07a176aecadb0bb2a1cdf3840e77d78f75cf6195e089365789631783c5ab7dc6067d7bb470877c1bd

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI4MDUzMjExMjIyMjU4ODk3OA.GY5-Aq.aEjcBIZFVoow9YiOolcbOLThpN78hMzm_mea_s

  • server_id

    1255189717742256160

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2388
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1932
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4904
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:532
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4368

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1932-17-0x0000027B5EA00000-0x0000027B5EA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-18-0x0000027B5EA00000-0x0000027B5EA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-9-0x0000027B5EA00000-0x0000027B5EA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-19-0x0000027B5EA00000-0x0000027B5EA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-8-0x0000027B5EA00000-0x0000027B5EA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-13-0x0000027B5EA00000-0x0000027B5EA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-14-0x0000027B5EA00000-0x0000027B5EA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-7-0x0000027B5EA00000-0x0000027B5EA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-15-0x0000027B5EA00000-0x0000027B5EA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-16-0x0000027B5EA00000-0x0000027B5EA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-5-0x00007FF8A23E3000-0x00007FF8A23E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2388-3-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2388-0-0x00007FF8A23E3000-0x00007FF8A23E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2388-2-0x0000018CDFB20000-0x0000018CDFCE2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2388-20-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2388-6-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2388-1-0x0000018CC5540000-0x0000018CC5558000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2388-4-0x0000018CE0320000-0x0000018CE0848000-memory.dmp

      Filesize

      5.2MB

      Download