Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2024 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    551a04485f5caf25147b76f5a554bfc1

  • SHA1

    c4e5a9ede2c38a7381bd7ef796bb3996eeeef000

  • SHA256

    7dd4cf7bd50b349ac8a4d1439587f395e934b2642766d6eb73e2442b177f54e2

  • SHA512

    094a3e1eba6beea9fccad0979b0683f9bd569834b9b1b864ca493a232f756982deeaaabc04f09b9eafeb7811c922e2737f3d6bb53f246200bfb950c97d12c31a

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5QPIC:5Zv5PDwbjNrmAE+mIC

Score
10/10
discordratdiscoverypersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI5MjYwNzk0MjkwNjA4NTQzNw.GVi9xR.xH5UnduU--gAZxv8yMJkUJoLgnsi3Qr10kCCec

  • server_id

    1286806950083825754

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3100
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9ec646f8,0x7ffc9ec64708,0x7ffc9ec64718
        3⤵
          PID:2512
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
          3⤵
            PID:2668
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2492
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
            3⤵
              PID:2896
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              3⤵
                PID:3472
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
                3⤵
                  PID:5088
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
                  3⤵
                    PID:920
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
                    3⤵
                      PID:3576
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:628
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
                      3⤵
                        PID:720
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
                        3⤵
                          PID:3092
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
                          3⤵
                            PID:2200
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15945480931624998662,11119332267569056083,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
                            3⤵
                              PID:4708
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3852
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4728

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              27304926d60324abe74d7a4b571c35ea

                              SHA1

                              78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

                              SHA256

                              7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

                              SHA512

                              f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              9e3fc58a8fb86c93d19e1500b873ef6f

                              SHA1

                              c6aae5f4e26f5570db5e14bba8d5061867a33b56

                              SHA256

                              828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

                              SHA512

                              e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                              Filesize

                              216B

                              MD5

                              9cb630e892fe9331e976e4f7cb959c9f

                              SHA1

                              933e4c21029abbe49443f4bacc8a1a3e103a337b

                              SHA256

                              d3549377418f25e03023cc1180d527842d2296b5ebb4749d3b72fa465c5a8e43

                              SHA512

                              2c713e8adf7320cba9f5b873845b4839087fdbecf8e3d891a53512d116a042b91b5f4534dc51ebbb2444ed5460ec1b88f3ee01280d7d6c0d140f6e6c959b6fb5

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                              Filesize

                              1KB

                              MD5

                              e841cff60bbff9886f3aa399f744c506

                              SHA1

                              4eccbc9f8468b9600e583dce9a59eca45fb5b147

                              SHA256

                              8a9392ef529cec74b44241e622f6b0924663e30c8e160df9df277f5c1db77c87

                              SHA512

                              8edade44a854d2a814e126d39e2cf385f3aa10c895ec70cfcdd2dde09069d5bc09691875890b3cb29e227d5815b5ef2bb2d5a19827acdb27d762163e68ece598

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              6ed150672ec0c6eef4a41d0418cb1af2

                              SHA1

                              7ce55499d72d3fcbcef5418dcc64083dc7107bbe

                              SHA256

                              ffd5cf8f5ce696dba5f64cd2ef749c45c4b19425372772f4727e406928d25056

                              SHA512

                              aab626a295a42e001b7ca160a5a514c9bfea13e0dbfd4c60c3b5c1697c173342da76b82d1ffc9aea55d1c8fa3466afc076d0cba69722da718e7f89a1e551380c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              65a9e072ae3eb7637c0f215e0aa41934

                              SHA1

                              63c51a670e34d18e6b37b52ae8b981849947487b

                              SHA256

                              dc208062268259d3db580da93cdbecb845a21a8ced48d5329468ce637851b766

                              SHA512

                              4a095b25f779aae9db9307446fbc372451dfe5155baca1ab4c9598504736c06f65f4dac0bf5fa70c8174a41a9db8c87e7598908a6992c33aa415ef788aae1811

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              975a21609b0f6d54955753d4d241bf4b

                              SHA1

                              1f72f21590ad823635a0b13ca00d6d660ff1a1b3

                              SHA256

                              5537a92c57cf660b00f31c70fba393a55d3ddcbddf1646e278e5310815be61c7

                              SHA512

                              8d68b339278dea3c546980517f24435c771eb896f6a47542ec65e06e5d1455286e0b883e792ba3d8a54ec69a7b91c03080fd263ef8fd9f0d3752ce96a1fdfbd4

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              10KB

                              MD5

                              375131a206d3d4052f48189804310d6c

                              SHA1

                              eb379bd04c56c6138636cc52ef551f85f33a8dc4

                              SHA256

                              ac7231ef69fec9ac99e3e617e8804943c3a7eb5c17ff62d59e4b643e89aa33af

                              SHA512

                              f6e78058adf826f103dea516a5a08931b9ba3bae755f223794e97beda2bacaf2fcf068457df1b935fd0c10ea1e48689feaaca564545480b6d89cdd4d0827884b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              10KB

                              MD5

                              2b5ec6857a8eda97e651711bd3ca6042

                              SHA1

                              4f7b880c45e3ff24960e5368041fc6e88d569618

                              SHA256

                              25c3cfc1a3ebf4bce82d6497ef570a7ddf01e650f6cc7b8099d7496595fc5646

                              SHA512

                              8b6560d0766bb4293de9a15ff5e059759b3032406545123e8515d605a2c4e9cbc4bf1ebf01b945753f45165b4b884fc8639f5c6f0ce9a229c6eb63e843e6279a

                              Download Submit

                            • memory/4976-0-0x00007FFCA3793000-0x00007FFCA3795000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/4976-6-0x00007FFCA3790000-0x00007FFCA4251000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4976-5-0x00007FFCA3793000-0x00007FFCA3795000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/4976-4-0x000001FA2D200000-0x000001FA2D728000-memory.dmp

                              Filesize

                              5.2MB

                              Download

                            • memory/4976-3-0x00007FFCA3790000-0x00007FFCA4251000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4976-2-0x000001FA2CA00000-0x000001FA2CBC2000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/4976-1-0x000001FA12390000-0x000001FA123A8000-memory.dmp

                              Filesize

                              96KB

                              Download