Analysis Overview
SHA256
37f79ef934775e7dbcd006be8c438435ffdd059ef4674cee8b988835f5ad2ae9
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Discordrat family
Discord RAT
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-05 11:33
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-05 11:33
Reported
2024-09-05 11:35
Platform
win11-20240802-en
Max time kernel
123s
Max time network
142s
Command Line
Signatures
Discord RAT
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.136.159.162.in-addr.arpa | udp |
| GB | 104.86.110.96:443 | tcp | |
| GB | 88.221.134.2:443 | r.bing.com | tcp |
| GB | 88.221.134.2:443 | r.bing.com | tcp |
| GB | 88.221.134.2:443 | r.bing.com | tcp |
| GB | 88.221.134.2:443 | r.bing.com | tcp |
| GB | 88.221.134.2:443 | r.bing.com | tcp |
| GB | 88.221.134.2:443 | r.bing.com | tcp |
Files
memory/3532-0-0x00007FF905F93000-0x00007FF905F95000-memory.dmp
memory/3532-1-0x000001BD31C60000-0x000001BD31C78000-memory.dmp
memory/3532-2-0x000001BD4C2E0000-0x000001BD4C4A2000-memory.dmp
memory/3532-3-0x00007FF905F90000-0x00007FF906A52000-memory.dmp
memory/3532-4-0x000001BD4D5B0000-0x000001BD4DAD8000-memory.dmp
memory/3532-5-0x00007FF905F93000-0x00007FF905F95000-memory.dmp
memory/3532-6-0x00007FF905F90000-0x00007FF906A52000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-05 11:33
Reported
2024-09-05 11:35
Platform
macos-20240711.1-en
Max time kernel
92s
Max time network
125s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Client-built.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Client-built.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Client-built.exe]
/bin/zsh
[/bin/zsh -c /Users/run/Client-built.exe]
/Users/run/Client-built.exe
[/Users/run/Client-built.exe]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 35-courier.push.apple.com | udp |
| GB | 17.250.81.67:443 | tcp | |
| GB | 17.253.77.201:80 | valid.apple.com | tcp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| GB | 104.103.245.125:443 | cds.apple.com | tcp |
| GB | 17.253.77.201:80 | valid.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 2.18.109.84:443 | help.apple.com | tcp |
| GB | 2.18.109.84:443 | help.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp |