Analysis Overview
SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
Threat Level: Known bad
The file release.zip was found to be: Known bad.
Malicious Activity Summary
Discord RAT
Discordrat family
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-06 15:10
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-06 15:10
Reported
2024-09-06 15:11
Platform
win10v2004-20240802-en
Max time kernel
45s
Max time network
55s
Command Line
Signatures
Discord RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\release\Client-built.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\release\builder.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\release\Client-built.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\release\builder.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\release.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\release\builder.exe
"C:\Users\Admin\Desktop\release\builder.exe"
C:\Users\Admin\Desktop\release\Client-built.exe
"C:\Users\Admin\Desktop\release\Client-built.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 234.135.159.162.in-addr.arpa | udp |
Files
memory/2356-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp
memory/2356-1-0x00000000008E0000-0x00000000008E8000-memory.dmp
memory/2356-2-0x0000000005810000-0x0000000005DB4000-memory.dmp
memory/2356-3-0x0000000005300000-0x0000000005392000-memory.dmp
memory/2356-4-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/2356-5-0x0000000005490000-0x000000000549A000-memory.dmp
memory/2356-6-0x0000000074ADE000-0x0000000074ADF000-memory.dmp
memory/2356-7-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/2356-8-0x00000000086D0000-0x00000000087F2000-memory.dmp
memory/2356-11-0x0000000074AD0000-0x0000000075280000-memory.dmp
C:\Users\Admin\Desktop\release\Client-built.exe
| MD5 | 9bde8fc3432cda1e916c2ff439a0137e |
| SHA1 | 425624a8329f7433abbfacac824c39a7f5ef9d3e |
| SHA256 | 60fa65f2377ad6fc21a765d39cc5d433539ca98718129fbffb12b7da43099883 |
| SHA512 | cf944136987000b4a0b5102492abddf689c8e0fc8b84f66910ec6957ae0d4b60c3b8d23f9aae3bd0f0b10cbfccffbce1e5c8183f709f93fcc1b069d91e988e04 |
memory/2020-14-0x000001C3B0BA0000-0x000001C3B0BB8000-memory.dmp
memory/2020-15-0x000001C3CB180000-0x000001C3CB342000-memory.dmp
memory/2020-16-0x000001C3CC270000-0x000001C3CC798000-memory.dmp