Malware Analysis Report

2024-11-16 13:03

Sample ID 240909-145w6avdnb
Target dnlib.zip
SHA256 3b145171ad5c03f113a4d44eaae4406ef098c0436cc2b6df5523c0e1b2963de2
Tags
discordrat persistence rat rootkit stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b145171ad5c03f113a4d44eaae4406ef098c0436cc2b6df5523c0e1b2963de2

Threat Level: Known bad

The file dnlib.zip was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer discovery

Discordrat family

Discord RAT

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 22:13

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 22:13

Reported

2024-09-09 22:13

Platform

win11-20240802-en

Max time kernel

10s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 162.159.133.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 234.133.159.162.in-addr.arpa udp

Files

memory/3608-0-0x00007FFF2CCD3000-0x00007FFF2CCD5000-memory.dmp

memory/3608-1-0x0000020BAD6E0000-0x0000020BAD6F8000-memory.dmp

memory/3608-2-0x0000020BC7E10000-0x0000020BC7FD2000-memory.dmp

memory/3608-3-0x00007FFF2CCD0000-0x00007FFF2D792000-memory.dmp

memory/3608-4-0x0000020BC9090000-0x0000020BC95B8000-memory.dmp

memory/3608-5-0x00007FFF2CCD3000-0x00007FFF2CCD5000-memory.dmp

memory/3608-6-0x00007FFF2CCD0000-0x00007FFF2D792000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 22:13

Reported

2024-09-09 22:15

Platform

win11-20240802-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe

"C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 162.159.135.234:443 gateway.discord.gg tcp

Files

memory/1848-0-0x00007FFD38193000-0x00007FFD38195000-memory.dmp

memory/1848-1-0x000001BE4BCB0000-0x000001BE4BCC8000-memory.dmp

memory/1848-2-0x000001BE66410000-0x000001BE665D2000-memory.dmp

memory/1848-3-0x00007FFD38190000-0x00007FFD38C52000-memory.dmp

memory/1848-4-0x000001BE67690000-0x000001BE67BB8000-memory.dmp

memory/1848-5-0x00007FFD38193000-0x00007FFD38195000-memory.dmp

memory/1848-6-0x00007FFD38190000-0x00007FFD38C52000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-09 22:13

Reported

2024-09-09 22:15

Platform

win11-20240802-en

Max time kernel

139s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\builder.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\builder.exe

"C:\Users\Admin\AppData\Local\Temp\builder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3224-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

memory/3224-1-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/3224-2-0x0000000005220000-0x00000000057C6000-memory.dmp

memory/3224-3-0x0000000004C70000-0x0000000004D02000-memory.dmp

memory/3224-4-0x0000000004E10000-0x0000000004E1A000-memory.dmp

memory/3224-5-0x0000000074B90000-0x0000000075341000-memory.dmp

memory/3224-6-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

memory/3224-7-0x0000000074B90000-0x0000000075341000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-09 22:13

Reported

2024-09-09 22:15

Platform

win11-20240802-en

Max time kernel

94s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A