Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-11-2024 14:52
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win11-20241023-en
windows11-21h2-x64
9 signatures
150 seconds
General
-
Target
Client-built.exe
-
Size
78KB
-
MD5
5294e84c734fbf9f34110e233b094b98
-
SHA1
2a2dc9fa78e3c80f7c425dc2d70daad6e0e2f6c2
-
SHA256
4abd3eb46f7ea1d4f698e5e35f6ce12cffbc131c994f842733aa4a4a6fc1654a
-
SHA512
ac67c08d7e1eb2d0c8b5f8928541c423d249094bbb72bf920a365f2afe9e3a034923c14cc9a667a899dcc4691b79c45b7eb352acd7f2e08a75bcbabe4cef2bcd
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC
Score
10/10
Malware Config
Extracted
Family
discordrat
Attributes
-
discord_token
MTMwODc5Nzk2NTYxNTQ5NzM1Nw.GBpC5A.89Z5f6lFNt0ykOCJ3xjQcB6vyTHT36DHCa_Du0
-
server_id
1308798365948969031
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 discord.com 4 discord.com 6 discord.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2424 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2480 Client-built.exe Token: SeDebugPrivilege 2424 taskmgr.exe Token: SeSystemProfilePrivilege 2424 taskmgr.exe Token: SeCreateGlobalPrivilege 2424 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe 2424 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424