discordrat | 9d985d9555743e7ca289b9193266c9d099c0e75587f6f41ff9da555cb8085f68

Analysis

max time kernel
186s
max time network
187s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-09-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

791b2cab4b4643d28d528193739d2cd1
SHA1

8b2286ba1d43de974ce7b9ca57fc0979cdbe688b
SHA256

9d985d9555743e7ca289b9193266c9d099c0e75587f6f41ff9da555cb8085f68
SHA512

83b3236d9fe7472e4d869a256ab5b7a3fdce5acd860a448defac68d1d1cbe88785c5e8e4032bc12150612bea99f213c06c8b18c7b33421570e7d91743ede5953
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+2PIC:5Zv5PDwbjNrmAE+yIC

Score

10^/10

discordrat credential_access discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4MzUwNzcyNTg1ODI0NjY3Ng.GOztkV.IXwu1tIJAlLnYNQ5FQbJom3nDJVi7NCeKG6gtk
server_id
1283509349821710416

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

T1102

flow	ioc
4	discord.com
6	discord.com
18	discord.com
30	discord.com
33	discord.com
47	discord.com
1	raw.githubusercontent.com
9	raw.githubusercontent.com
29	discord.com
44	discord.com
1	discord.com
11	discord.com
12	discord.com
32	discord.com
34	discord.com
48	discord.com
8	discord.com
10	discord.com
43	discord.com
7	discord.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705574073174629"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5052	chrome.exe
5052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	Client-built.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe
Token: SeShutdownPrivilege	3908	Client-built.exe
Token: SeShutdownPrivilege	5052	chrome.exe
Token: SeCreatePagefilePrivilege	5052	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3908	Client-built.exe
3908	Client-built.exe
3908	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1516	5052	chrome.exe	81
PID 5052 wrote to memory of 1516	5052	chrome.exe	81
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 536	5052	chrome.exe	82
PID 5052 wrote to memory of 2288	5052	chrome.exe	83
PID 5052 wrote to memory of 2288	5052	chrome.exe	83
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84
PID 5052 wrote to memory of 1092	5052	chrome.exe	84

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffecc3cc40,0x7fffecc3cc4c,0x7fffecc3cc58
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,6575506593234510387,11963877764219918094,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2004,i,6575506593234510387,11963877764219918094,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,6575506593234510387,11963877764219918094,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,6575506593234510387,11963877764219918094,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,6575506593234510387,11963877764219918094,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4396,i,6575506593234510387,11963877764219918094,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4416 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4404,i,6575506593234510387,11963877764219918094,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,6575506593234510387,11963877764219918094,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:2808

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
562d3c9e4485ae9d926fd1e87f350b3a

SHA1
271390b0330681c99bd96d1747f1177902497a20

SHA256
7169ab600099cb423cbec2902e072a0b27c6270fab89db2557c152893c020bf0

SHA512
fb4793e5bc3e180727e132fbfde7123a710db4be33d8814bace9e7fe54bcc724c15a2e4c45f625ad9af6979d25ebf67f507c6a8f0b413872f1d676c9224f2875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6f151831318361bc28b7db8caefa7cd1

SHA1
bd1e6841ac42d349c4ba499a0ba11959d42c36a6

SHA256
98e42b1f2b6a31f71ba5ba615095ab9756656fcef9a51f0f7f59d0cfdad931d4

SHA512
5b2d993cac6b586cb9bdcfd74a585897d0d64540a1c525ba3c9cd9def88b359496c85f9d1598f869b256682fefdecf43ade2823f59560641e9d9b9f905292e5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a26307cc274c7c0c664a69db0516c6cd

SHA1
ff33577449ebf1fdda4e1ec4ce8d3171877f0627

SHA256
f84eb5617b58da3e0eca9d02c359de5bc396ad98f90ef1e3de7a8bd4baff2a16

SHA512
97360e502009013bb030cf32af5e08d186ea9541ae9627b421ef28a51d0253da694eff264ce5d23f70fd8beb957358669b35b5c7c33f62652312455873ecbf48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
0be6ca2abea936c3de3653819d634a7b

SHA1
25ea75d2086497ddc6e9f3d8702ecc6ccd027e70

SHA256
c904b261947b5ff5591b06c83ba6336528e591b2a40df54e7e2e60e3f0990025

SHA512
88b1c45b7d88b2010f1cc35e95e6bda641f355863a859da3952b0f6d6266b51a0964ec07339862a87ccb61f79ae4d52a32d0382de5d9850d349d960cfa95810f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
6916510b0bc42a57a629540fbf9f5cc6

SHA1
17be0da1ee43f1880c4ad7ebd36b5a6335abe2e9

SHA256
3584b0c9f6740cedf047877d8e2bdd3d12f1344f71492f518ced8bbc42d6f755

SHA512
6a49c3dcfad192f70bc809d30f06df19ad12937ae021dbcb5dc32d195550279541cd4ece890f84dc8ae82330f56608d744e7d195f4673fcc8f9ee67f52ca47f0

Download Submit
memory/3908-4-0x000001C9ECA10000-0x000001C9ECF38000-memory.dmp

Filesize
5.2MB

Download
memory/3908-8-0x000001C9EC050000-0x000001C9EC062000-memory.dmp

Filesize
72KB

Download
memory/3908-9-0x000001C9EC1A0000-0x000001C9EC1BE000-memory.dmp

Filesize
120KB

Download
memory/3908-10-0x00007FFFE6520000-0x00007FFFE6FE2000-memory.dmp

Filesize
10.8MB

Download
memory/3908-11-0x00007FFFE6520000-0x00007FFFE6FE2000-memory.dmp

Filesize
10.8MB

Download
memory/3908-7-0x000001C9EE9E0000-0x000001C9EEA56000-memory.dmp

Filesize
472KB

Download
memory/3908-6-0x00007FFFE6520000-0x00007FFFE6FE2000-memory.dmp

Filesize
10.8MB

Download
memory/3908-5-0x00007FFFE6523000-0x00007FFFE6525000-memory.dmp

Filesize
8KB

Download
memory/3908-0-0x00007FFFE6523000-0x00007FFFE6525000-memory.dmp

Filesize
8KB

Download
memory/3908-3-0x00007FFFE6520000-0x00007FFFE6FE2000-memory.dmp

Filesize
10.8MB

Download
memory/3908-2-0x000001C9EC1C0000-0x000001C9EC382000-memory.dmp

Filesize
1.8MB

Download
memory/3908-1-0x000001C9E9B20000-0x000001C9E9B38000-memory.dmp

Filesize
96KB

Download