Analysis Overview
SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
Threat Level: Known bad
The file release.zip was found to be: Known bad.
Malicious Activity Summary
Discordrat family
Discord RAT
Loads dropped DLL
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-03 22:15
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-03 22:15
Reported
2025-01-03 22:18
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Discord RAT
Discordrat family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release.zip"
Network
Files
\Users\Admin\Desktop\Release\Discord rat.exe
| MD5 | d13905e018eb965ded2e28ba0ab257b5 |
| SHA1 | 6d7fe69566fddc69b33d698591c9a2c70d834858 |
| SHA256 | 2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec |
| SHA512 | b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-03 22:15
Reported
2025-01-03 22:16
Platform
win10v2004-20241007-en
Max time kernel
23s
Max time network
19s
Command Line
Signatures
Discord RAT
Discordrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\builder.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\builder.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\builder.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\builder.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release.zip"
C:\Users\Admin\Desktop\builder.exe
"C:\Users\Admin\Desktop\builder.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\builder.exe
| MD5 | 4f04f0e1ff050abf6f1696be1e8bb039 |
| SHA1 | bebf3088fff4595bfb53aea6af11741946bbd9ce |
| SHA256 | ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa |
| SHA512 | 94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12 |
memory/4072-8-0x0000000074DBE000-0x0000000074DBF000-memory.dmp
memory/4072-9-0x0000000000010000-0x0000000000018000-memory.dmp
memory/4072-10-0x00000000050A0000-0x0000000005644000-memory.dmp
memory/4072-11-0x00000000049B0000-0x0000000004A42000-memory.dmp
memory/4072-12-0x0000000074DB0000-0x0000000075560000-memory.dmp
memory/4072-13-0x0000000004A70000-0x0000000004A7A000-memory.dmp
C:\Users\Admin\Desktop\dnlib.dll
| MD5 | 508ccde8bc7003696f32af7054ca3d97 |
| SHA1 | 1f6a0303c5ae5dc95853ec92fd8b979683c3f356 |
| SHA256 | 4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a |
| SHA512 | 92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d |
memory/4072-17-0x0000000007DE0000-0x0000000007F02000-memory.dmp
C:\Users\Admin\Desktop\Release\Discord rat.exe
| MD5 | d13905e018eb965ded2e28ba0ab257b5 |
| SHA1 | 6d7fe69566fddc69b33d698591c9a2c70d834858 |
| SHA256 | 2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec |
| SHA512 | b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb |
memory/4072-20-0x0000000074DBE000-0x0000000074DBF000-memory.dmp
memory/4072-21-0x0000000074DB0000-0x0000000075560000-memory.dmp