discordrat | d07fab9f9877d6292ad8cb4de9fde55f86e702bb622c0d10ebfa93f4f1cb8664

Analysis

max time kernel
157s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09-09-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

46408fe27686b8558668eb2e4804f780
SHA1

8673f873dcd9107f4ba65599e48274e59e492c68
SHA256

d07fab9f9877d6292ad8cb4de9fde55f86e702bb622c0d10ebfa93f4f1cb8664
SHA512

0906a14110a7b804e76f74dccde960e65634ea00825b2d0da7aef6fb07e7452ecd39182f877e54b05c3fc802ac186737b8ea22595abb617c2957e6eacdc79517
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+fPIC:5Zv5PDwbjNrmAE+nIC

Score

10^/10

discordrat defense_evasion persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4MjgyNzA4MTIyMjE5NzI1OA.GMjoP6.vacI2P1p61WUHpyhg8BHvjL8CxlOzPywWrwJVg
server_id
1282683459751510098

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2356 created 644	2356	Client-built.exe	5

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
10	discord.com
1	raw.githubusercontent.com
2	discord.com
4	discord.com
6	discord.com
9	discord.com
1	discord.com
7	discord.com
8	discord.com
11	raw.githubusercontent.com
13	discord.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2356 set thread context of 764	2356	Client-built.exe	78

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2356	Client-built.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
2356	Client-built.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
2356	Client-built.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
2356	Client-built.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe
764	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	Client-built.exe
Token: SeDebugPrivilege	2356	Client-built.exe
Token: SeDebugPrivilege	764	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 2356 wrote to memory of 764	2356	Client-built.exe	78
PID 764 wrote to memory of 644	764	dllhost.exe	5
PID 764 wrote to memory of 692	764	dllhost.exe	7
PID 764 wrote to memory of 988	764	dllhost.exe	12
PID 764 wrote to memory of 468	764	dllhost.exe	13
PID 764 wrote to memory of 540	764	dllhost.exe	14
PID 764 wrote to memory of 1072	764	dllhost.exe	16
PID 764 wrote to memory of 1080	764	dllhost.exe	17
PID 764 wrote to memory of 1132	764	dllhost.exe	18
PID 764 wrote to memory of 1144	764	dllhost.exe	19
PID 764 wrote to memory of 1232	764	dllhost.exe	21
PID 764 wrote to memory of 1288	764	dllhost.exe	22
PID 764 wrote to memory of 1392	764	dllhost.exe	23
PID 764 wrote to memory of 1512	764	dllhost.exe	24
PID 764 wrote to memory of 1520	764	dllhost.exe	25
PID 764 wrote to memory of 1624	764	dllhost.exe	26
PID 764 wrote to memory of 1632	764	dllhost.exe	27
PID 764 wrote to memory of 1644	764	dllhost.exe	28
PID 764 wrote to memory of 1760	764	dllhost.exe	29
PID 764 wrote to memory of 1792	764	dllhost.exe	30
PID 764 wrote to memory of 1844	764	dllhost.exe	31
PID 764 wrote to memory of 1912	764	dllhost.exe	32
PID 764 wrote to memory of 2024	764	dllhost.exe	33
PID 764 wrote to memory of 2040	764	dllhost.exe	34
PID 764 wrote to memory of 1956	764	dllhost.exe	35
PID 764 wrote to memory of 1996	764	dllhost.exe	36
PID 764 wrote to memory of 2132	764	dllhost.exe	37
PID 764 wrote to memory of 2252	764	dllhost.exe	39
PID 764 wrote to memory of 2388	764	dllhost.exe	40
PID 764 wrote to memory of 2396	764	dllhost.exe	41
PID 764 wrote to memory of 2444	764	dllhost.exe	42
PID 764 wrote to memory of 2496	764	dllhost.exe	43
PID 764 wrote to memory of 2504	764	dllhost.exe	44
PID 764 wrote to memory of 2536	764	dllhost.exe	45
PID 764 wrote to memory of 2564	764	dllhost.exe	46
PID 764 wrote to memory of 2592	764	dllhost.exe	47
PID 764 wrote to memory of 2608	764	dllhost.exe	48
PID 764 wrote to memory of 3016	764	dllhost.exe	49
PID 764 wrote to memory of 3028	764	dllhost.exe	50
PID 764 wrote to memory of 3112	764	dllhost.exe	51
PID 764 wrote to memory of 3280	764	dllhost.exe	52
PID 764 wrote to memory of 3432	764	dllhost.exe	53
PID 764 wrote to memory of 3452	764	dllhost.exe	54
PID 764 wrote to memory of 3812	764	dllhost.exe	57
PID 764 wrote to memory of 3868	764	dllhost.exe	58
PID 764 wrote to memory of 3944	764	dllhost.exe	59
PID 764 wrote to memory of 3984	764	dllhost.exe	60
PID 764 wrote to memory of 4176	764	dllhost.exe	61
PID 764 wrote to memory of 4372	764	dllhost.exe	62
PID 764 wrote to memory of 5112	764	dllhost.exe	65
PID 764 wrote to memory of 4760	764	dllhost.exe	66
PID 764 wrote to memory of 3328	764	dllhost.exe	67
PID 764 wrote to memory of 2272	764	dllhost.exe	69
PID 764 wrote to memory of 4348	764	dllhost.exe	70

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:644
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:468
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{55ae77dd-42e1-4148-b350-b5c22a706f89}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:764

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1392
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1996

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2504

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3028

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3984

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2272

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4348

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3428

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-27-0x00000210C9610000-0x00000210C963A000-memory.dmp

Filesize
168KB

Download
memory/468-251-0x00000210C9610000-0x00000210C963A000-memory.dmp

Filesize
168KB

Download
memory/468-28-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp

Filesize
64KB

Download
memory/644-19-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp

Filesize
64KB

Download
memory/644-248-0x000002B295480000-0x000002B2954AA000-memory.dmp

Filesize
168KB

Download
memory/644-18-0x000002B295480000-0x000002B2954AA000-memory.dmp

Filesize
168KB

Download
memory/644-17-0x000002B295450000-0x000002B295473000-memory.dmp

Filesize
140KB

Download
memory/644-249-0x00007FFBF5364000-0x00007FFBF5365000-memory.dmp

Filesize
4KB

Download
memory/692-22-0x00000241F6CB0000-0x00000241F6CDA000-memory.dmp

Filesize
168KB

Download
memory/692-23-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp

Filesize
64KB

Download
memory/692-250-0x00000241F6CB0000-0x00000241F6CDA000-memory.dmp

Filesize
168KB

Download
memory/764-209-0x00007FFBF52C1000-0x00007FFBF53EA000-memory.dmp

Filesize
1.2MB

Download
memory/764-13-0x00007FFBF52C0000-0x00007FFBF54C9000-memory.dmp

Filesize
2.0MB

Download
memory/764-12-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/764-15-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/764-14-0x00007FFBF46F0000-0x00007FFBF47AD000-memory.dmp

Filesize
756KB

Download
memory/764-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/764-225-0x00007FFBF52C0000-0x00007FFBF54C9000-memory.dmp

Filesize
2.0MB

Download
memory/764-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2356-184-0x00007FFBD43A0000-0x00007FFBD4E62000-memory.dmp

Filesize
10.8MB

Download
memory/2356-7-0x000001F580DB0000-0x000001F580DEE000-memory.dmp

Filesize
248KB

Download
memory/2356-1-0x000001F5E5130000-0x000001F5E5148000-memory.dmp

Filesize
96KB

Download
memory/2356-2-0x000001F5FF780000-0x000001F5FF942000-memory.dmp

Filesize
1.8MB

Download
memory/2356-8-0x00007FFBF52C0000-0x00007FFBF54C9000-memory.dmp

Filesize
2.0MB

Download
memory/2356-0-0x00007FFBD43A3000-0x00007FFBD43A5000-memory.dmp

Filesize
8KB

Download
memory/2356-9-0x00007FFBF46F0000-0x00007FFBF47AD000-memory.dmp

Filesize
756KB

Download
memory/2356-252-0x00007FFBF46F1000-0x00007FFBF476E000-memory.dmp

Filesize
500KB

Download
memory/2356-6-0x00007FFBD43A0000-0x00007FFBD4E62000-memory.dmp

Filesize
10.8MB

Download
memory/2356-5-0x00007FFBD43A3000-0x00007FFBD43A5000-memory.dmp

Filesize
8KB

Download
memory/2356-4-0x000001F5812B0000-0x000001F5817D8000-memory.dmp

Filesize
5.2MB

Download
memory/2356-3-0x00007FFBD43A0000-0x00007FFBD4E62000-memory.dmp

Filesize
10.8MB

Download
memory/3280-67-0x00007FFBB5350000-0x00007FFBB5360000-memory.dmp

Filesize
64KB

Download
memory/3280-66-0x0000000002770000-0x000000000279A000-memory.dmp

Filesize
168KB

Download