Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://gofile.io/d/...

windows10-2004-x64

Analysis

  • max time kernel
    38s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2024 23:31

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://gofile.io/d/3afKKE

Score
10/10
discordratdiscoverypersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI4NDMxMjk3MTkzNzMyMDk2MQ.GBYoca.hoKFnyzW9DIVpJXURCf1RW8HENxIyj1QELEuMw

  • server_id

    1284311619307966505

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/3afKKE
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ef2a46f8,0x7ff8ef2a4708,0x7ff8ef2a4718
      2⤵
        PID:5020
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
        2⤵
          PID:1248
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:440
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
          2⤵
            PID:2512
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
            2⤵
              PID:452
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
              2⤵
                PID:2476
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
                2⤵
                  PID:2028
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
                  2⤵
                    PID:4776
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3968
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
                    2⤵
                      PID:2912
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
                      2⤵
                        PID:1488
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
                        2⤵
                          PID:4576
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
                          2⤵
                            PID:2196
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
                            2⤵
                              PID:2888
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5968 /prefetch:8
                              2⤵
                                PID:4348
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
                                2⤵
                                  PID:5024
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6448 /prefetch:8
                                  2⤵
                                    PID:4192
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,15914695773407259779,8571039516819307153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3360
                                  • C:\Users\Admin\Downloads\Client-built.exe
                                    "C:\Users\Admin\Downloads\Client-built.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4556
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:448
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4056

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      ecf7ca53c80b5245e35839009d12f866

                                      SHA1

                                      a7af77cf31d410708ebd35a232a80bddfb0615bb

                                      SHA256

                                      882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

                                      SHA512

                                      706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      4dd2754d1bea40445984d65abee82b21

                                      SHA1

                                      4b6a5658bae9a784a370a115fbb4a12e92bd3390

                                      SHA256

                                      183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

                                      SHA512

                                      92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                      Filesize

                                      288B

                                      MD5

                                      85c07e8fe8ec270b3d1017eff8c3edd7

                                      SHA1

                                      bdfa0ae49d494fbbc4b6bbc965a53b3f83627491

                                      SHA256

                                      c7ca8513daff90adbeabd9325b3a120ccf5c5938ef7ffc0441af1738eeba76a3

                                      SHA512

                                      c7d0dffbc86a129189a3bb03f475c43bf71189220dd5eaa48f6917e566164ab12d9d5c34d1caf2d31a669bd36a27cd233e0ec6a316d033bc132012d9935d8456

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      b98146ab358b0ae51db409285cf9b8fd

                                      SHA1

                                      7ab527c01b444c1a9c1d9a5abbfd673e846ef1fe

                                      SHA256

                                      3e9c9246003c1499c2118313a1ba2000f99617ee79a74a6e78825a5c22c8f2e8

                                      SHA512

                                      3ecb8c98424efe9e93d932c1db540f37bda91b519a6c03e5b510e66ca4cb77176ce784998de3a505a12d7ea6aa0c8d21d5a0b4eb9ec087b7f725ae686b2d107d

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      5KB

                                      MD5

                                      b9f9d1ae34609a0995f54fc0b83aaa61

                                      SHA1

                                      90326d9bc36880d2cd49ab35dc0693c2e9360b23

                                      SHA256

                                      3afbc27db41a2e5a494191b733b32c41d821cb5d452d37a728f1c7c755b88fa8

                                      SHA512

                                      4da1dc2e2106e696c1c3856afc3fef0a1ce5019ec5cd97a3a94ea2c517f54d7ab2dbafac69cc8080f5f5e9fca32869ce3d6ec70a005a082a33a6762953eccac2

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      10KB

                                      MD5

                                      d11acf796f7857ec20d0dd0f8bc3d6d7

                                      SHA1

                                      f3b787c53582f1a2f5f56a7e1cd34b8dc9fbc989

                                      SHA256

                                      a773d656f300e651d7af7e88a204f6a0a93364c90ea5de487ccff770bc302e32

                                      SHA512

                                      32820312bb120186b370996463ce7317d96410c3ab88c89139e6b13c1099f1d798cf9b53baa050de7e6528f810ed0e93c4a24faf64af588d205b48f0c524efbb

                                      Download Submit

                                    • C:\Users\Admin\Downloads\Unconfirmed 507860.crdownload
                                      Filesize

                                      78KB

                                      MD5

                                      631648793be7550b47349120f85976d3

                                      SHA1

                                      024ce2d0f733bc8bdb4c949c636653d4e1f3171b

                                      SHA256

                                      6f8b6ad0cef8f999b0eb19287d4a2ad0a99a8dda1b8612c7923c211f6808561e

                                      SHA512

                                      9c34579fcfeaf0bcfc776ec07a8e82b72064b536db78ffb6dd996064befe64346e0eb2732e69420273979dbf193e0a20e2c102d50f29c553d5a7dbc0d4f182b2

                                      Download Submit

                                    • memory/4556-115-0x000001FFF67C0000-0x000001FFF67D8000-memory.dmp

                                      Filesize

                                      96KB

                                      Download

                                    • memory/4556-116-0x000001FFF8DB0000-0x000001FFF8F72000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/4556-117-0x000001FFF95B0000-0x000001FFF9AD8000-memory.dmp

                                      Filesize

                                      5.2MB

                                      Download