Malware Analysis Report

2025-04-13 12:24

Sample ID 250102-z4e53awkhv
Target Client-built.exe
SHA256 07f0a68cf4af26e9355c1349bc5c60ae802630faff552081f2785a250ac6284d
Tags
discordrat persistence rat rootkit stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07f0a68cf4af26e9355c1349bc5c60ae802630faff552081f2785a250ac6284d

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

discordrat persistence rat rootkit stealer

Discord RAT

Discordrat family

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2025-01-02 21:16

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-02 21:16

Reported

2025-01-02 21:18

Platform

win11-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Discordrat family

discordrat

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 162.159.135.234:443 gateway.discord.gg tcp
GB 88.221.134.249:443 tcp
GB 88.221.134.249:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 95.101.143.210:443 r.bing.com tcp
GB 95.101.143.210:443 r.bing.com tcp
GB 95.101.143.210:443 r.bing.com tcp
GB 95.101.143.210:443 r.bing.com tcp
GB 95.101.143.210:443 r.bing.com tcp
GB 95.101.143.210:443 r.bing.com tcp
US 52.168.117.168:443 browser.pipe.aria.microsoft.com tcp
GB 95.101.143.203:443 www.bing.com tcp
US 8.8.8.8:53 203.143.101.95.in-addr.arpa udp

Files

memory/2948-0-0x00007FFA50573000-0x00007FFA50575000-memory.dmp

memory/2948-1-0x000001D0D9510000-0x000001D0D9528000-memory.dmp

memory/2948-2-0x000001D0F3EF0000-0x000001D0F40B2000-memory.dmp

memory/2948-3-0x00007FFA50570000-0x00007FFA51032000-memory.dmp

memory/2948-4-0x000001D0F5070000-0x000001D0F5598000-memory.dmp

memory/2948-5-0x00007FFA50573000-0x00007FFA50575000-memory.dmp

memory/2948-6-0x00007FFA50570000-0x00007FFA51032000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\9369d663-2126-4e8c-919a-dac443ffe67b.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 77a8b2c86dd26c214bc11c989789b62d
SHA1 8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499
SHA256 e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8
SHA512 c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e