Analysis
-
max time kernel
854s -
max time network
439s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 15:08
Behavioral task
behavioral1
Sample
DiscordRAT_Build-main/Release/Discord rat.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
DiscordRAT_Build-main/builder.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
DiscordRAT_Build-main/dnlib.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Errors
General
-
Target
DiscordRAT_Build-main/builder.exe
-
Size
10KB
-
MD5
4f04f0e1ff050abf6f1696be1e8bb039
-
SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce
-
SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa
-
SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12
-
SSDEEP
96:IJXYAuB2glBLgyOk3LxdjP2rm549JSTuwUYXzP+B1izXTa/HFpff3LG+tzNt:IJXDk7LI4uwtDPC1ijCHffSs
Malware Config
Extracted
discordrat
-
discord_token
MTI5MzgwNTY0NjkyMzQ5NzUONA.Gxx1Ci.b-jbTKUeAkvIBEJVPYCm7XVxHNdTHef3iSs9Ho
-
server_id
1274815772249555035
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 2 IoCs
pid Process 4084 Client-built.exe 1960 Client-built.exe -
Loads dropped DLL 2 IoCs
pid Process 1368 taskmgr.exe 1368 taskmgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language builder.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1368 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4084 Client-built.exe Token: SeDebugPrivilege 1368 taskmgr.exe Token: SeSystemProfilePrivilege 1368 taskmgr.exe Token: SeCreateGlobalPrivilege 1368 taskmgr.exe Token: SeDebugPrivilege 1960 Client-built.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe 1368 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DiscordRAT_Build-main\builder.exe"C:\Users\Admin\AppData\Local\Temp\DiscordRAT_Build-main\builder.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2564
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\DiscordRAT_Build-main\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\DiscordRAT_Build-main\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1368
-
C:\Users\Admin\AppData\Local\Temp\DiscordRAT_Build-main\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\DiscordRAT_Build-main\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5567610a6a1acebb0a89fd83c4687e5ee
SHA1ae75cd0f6f50d663b6c2036d60f9f99141b762fb
SHA256d1c0c0f3c8e3aff6cbb480c82900eddd01b9d38efc6a7487b21b3477b77cdd7f
SHA512b9cf5fb4a1cd66367489a189e1f789b019fed6b21bbbbad6cdeeb19c52125c2974a4414d64c633dccfd8efc44d81e808fd0b1f4b867ea70727264ecb7005562c
-
Filesize
78KB
MD532f85440eca2c3e7ad317c9edd07c84a
SHA1830222c5c9f6532b8ddcde79c20078217769b002
SHA256eb931d1749d48b640983994c16421b1e6088d3704278db03b96136eb3b9f120b
SHA512c34a8ada284aacad3deb5d1fce9da96eecaa5d051e8d007c7842340321983c3f587067314325559fb0476e83fe4ac5339cc71cf2dcc66c94d0bc6c30a2f90b9b