discordrat | ce864197af77c17580f8dcdc48c20d2ba53c1b9721f07664aebe33b9e7ce4fd3

Analysis

max time kernel
54s
max time network
55s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23-11-2024 17:01

Target

Client-built_Sugary.exe
Size

233KB
MD5

29fb910aca6fd630dfc79683b0ae2a85
SHA1

bc5cc2c7a290b5f85ed39bb042b8a8cd20946e59
SHA256

ce864197af77c17580f8dcdc48c20d2ba53c1b9721f07664aebe33b9e7ce4fd3
SHA512

9120a3815d1ce6c3abefc1472eee241ac9c7df382c80681cc477367e160aad4a51dbedd0e6be5e62638ccd2718c75d6c7af138721b12d5ef453475b3257516ca
SSDEEP

6144:hv5PDwbBrnIrXxMxl1TSZOiECd7LbkjrR:hv5RrBGlhiECd

Score

10^/10

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Modifies registry class 4 IoCs

Processes:

BackgroundTransferHost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client-built_Sugary.exe

description	pid	Process
Token: SeDebugPrivilege	1220	Client-built_Sugary.exe

C:\Users\Admin\AppData\Local\Temp\Client-built_Sugary.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built_Sugary.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1200

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4720

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\27fd14f3-6225-4b7f-ac7e-ae3659ce4ea4.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
memory/1220-0-0x00007FFF923D3000-0x00007FFF923D5000-memory.dmp

Filesize
8KB

Download
memory/1220-1-0x0000026D2F320000-0x0000026D2F360000-memory.dmp

Filesize
256KB

Download
memory/1220-2-0x0000026D49940000-0x0000026D49B02000-memory.dmp

Filesize
1.8MB

Download
memory/1220-3-0x00007FFF923D0000-0x00007FFF92E92000-memory.dmp

Filesize
10.8MB

Download
memory/1220-4-0x00007FFF923D0000-0x00007FFF92E92000-memory.dmp

Filesize
10.8MB

Download