Malware Analysis Report

2024-11-16 13:02

Sample ID 240905-nnxvdszhpa
Target Client-built.exe
SHA256 37f79ef934775e7dbcd006be8c438435ffdd059ef4674cee8b988835f5ad2ae9
Tags
discordrat persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37f79ef934775e7dbcd006be8c438435ffdd059ef4674cee8b988835f5ad2ae9

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer

Discordrat family

Discord RAT

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-09-05 11:33

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 11:33

Reported

2024-09-05 11:35

Platform

win11-20240802-en

Max time kernel

123s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.136.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 234.136.159.162.in-addr.arpa udp
GB 104.86.110.96:443 tcp
GB 88.221.134.2:443 r.bing.com tcp
GB 88.221.134.2:443 r.bing.com tcp
GB 88.221.134.2:443 r.bing.com tcp
GB 88.221.134.2:443 r.bing.com tcp
GB 88.221.134.2:443 r.bing.com tcp
GB 88.221.134.2:443 r.bing.com tcp

Files

memory/3532-0-0x00007FF905F93000-0x00007FF905F95000-memory.dmp

memory/3532-1-0x000001BD31C60000-0x000001BD31C78000-memory.dmp

memory/3532-2-0x000001BD4C2E0000-0x000001BD4C4A2000-memory.dmp

memory/3532-3-0x00007FF905F90000-0x00007FF906A52000-memory.dmp

memory/3532-4-0x000001BD4D5B0000-0x000001BD4DAD8000-memory.dmp

memory/3532-5-0x00007FF905F93000-0x00007FF905F95000-memory.dmp

memory/3532-6-0x00007FF905F90000-0x00007FF906A52000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-05 11:33

Reported

2024-09-05 11:35

Platform

macos-20240711.1-en

Max time kernel

92s

Max time network

125s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Client-built.exe"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Client-built.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Client-built.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Client-built.exe]

/bin/zsh

[/bin/zsh -c /Users/run/Client-built.exe]

/Users/run/Client-built.exe

[/Users/run/Client-built.exe]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 35-courier.push.apple.com udp
GB 17.250.81.67:443 tcp
GB 17.253.77.201:80 valid.apple.com tcp
US 8.8.8.8:53 cds.apple.com udp
GB 104.103.245.125:443 cds.apple.com tcp
GB 17.253.77.201:80 valid.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.18.109.84:443 help.apple.com tcp
GB 2.18.109.84:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

N/A