Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/e...

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    32s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2025 21:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/eduuvlcc1/discord-rat

Score
10/10
discordratdiscoverypersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxOTc4OTMwMjA2MTk5NDExMA.GMe7RX.0UnH4Yry5JdoThehz_UeXT_h2qz9Z5hew2qsQA

  • server_id

    1186811367248904252

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/eduuvlcc1/discord-rat
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86db546f8,0x7ff86db54708,0x7ff86db54718
      2⤵
        PID:4556
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        2⤵
          PID:3212
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2844
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
          2⤵
            PID:1580
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
            2⤵
              PID:2416
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
              2⤵
                PID:3768
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
                2⤵
                  PID:1048
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:936
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2308 /prefetch:8
                  2⤵
                    PID:1608
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
                    2⤵
                      PID:1512
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6060 /prefetch:8
                      2⤵
                        PID:1880
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2568
                      • C:\Users\Admin\Downloads\Client-built.exe
                        "C:\Users\Admin\Downloads\Client-built.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4608
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
                        2⤵
                          PID:4156
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
                          2⤵
                            PID:2532
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
                            2⤵
                              PID:1172
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6245061308775607893,3944663331990980995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
                              2⤵
                                PID:3944
                              • C:\Users\Admin\Downloads\Client-built.exe
                                "C:\Users\Admin\Downloads\Client-built.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5200
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2020
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1524

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  6960857d16aadfa79d36df8ebbf0e423

                                  SHA1

                                  e1db43bd478274366621a8c6497e270d46c6ed4f

                                  SHA256

                                  f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

                                  SHA512

                                  6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  f426165d1e5f7df1b7a3758c306cd4ae

                                  SHA1

                                  59ef728fbbb5c4197600f61daec48556fec651c1

                                  SHA256

                                  b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

                                  SHA512

                                  8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
                                  Filesize

                                  20KB

                                  MD5

                                  7247e91eedf36d653790d6d0a1c8a4e7

                                  SHA1

                                  88281d63857f377a82426d9ab6963249c37443c7

                                  SHA256

                                  bd6e42e520f77a213daeee8749872b2ef6b220f7864e72c90f78fdb916861e5c

                                  SHA512

                                  7780717bfbb9661b6715f46c89b81e0241d2a7305893ffed317b0ad5ebf57548552b6ad11ce1518f6bf20aa5671bcacb77dbd86f9b484abe4b7dc2071c4c42a1

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                  Filesize

                                  1KB

                                  MD5

                                  bee66def5f12ccbe162f8ab3c146296e

                                  SHA1

                                  5e44219b9563c4e13b8e88407466308d183ba020

                                  SHA256

                                  afccea038b2b06124b669ba59c093902d32462814dcf02b4a2c0f8531e4c012e

                                  SHA512

                                  089fcc82a142cfcd07210954638c473969564276d90d21b9c16b7561fdb5710831d07549f2e8c9d2ccf8bdda9013424003edabe6e4e527423236581e0c9c1ae6

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  5KB

                                  MD5

                                  54a3242b24dd346ae1e44acf1377d91b

                                  SHA1

                                  7e60bcef431848cddbb5e84a1ec4f55d6bb3ee7f

                                  SHA256

                                  3aa88c911a9155e9817862f2eaf6618b580b6d9308ec02ac59ea3c752a4c893e

                                  SHA512

                                  852f8da5fb1b29895149b3bff226c6287984a84440865ed0f46a3cfaf2d409414a7dabefc3121f9f9b1d700fb6b80212a87a9cbc494da5edc2bbeef32def5039

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  faa97f056219f9787bc2a6aa32a86652

                                  SHA1

                                  fe19311c14003e95df716fc121f852ae7457ce38

                                  SHA256

                                  a01364ed64c6911b9f42a96b5d92d3ae60325646a9c811aae7b281a0e8e06735

                                  SHA512

                                  1572db710f2b6a0e2ff73df39640a8baf06b8bd656b8faf515652dd1f5578d59af66a3d76ff197e6e498b345cdf1ff04dfdc54fd14e3468d20b84fba3cee9f55

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  10KB

                                  MD5

                                  bc587a956422f7523c837259c6e2a274

                                  SHA1

                                  89bc46835161a389d9851ed22f6a91a94a3e12e9

                                  SHA256

                                  1e290194d869cef91cb6429485cc1f197c61cc4a7efbd03a092b58faa34eef55

                                  SHA512

                                  d333d48ef15906f1e3afd776f17f38708fea73e1c26e6352e21190894b3c39f8e866792eea90284789abc38a1b09537d5fa00bdf650014f4783f9d5b0152df1c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  10KB

                                  MD5

                                  9c33ab46591597b9b89613887f2d6255

                                  SHA1

                                  b53681f420a512e20c3e39f3c4b9cbf5effce40e

                                  SHA256

                                  fd5b695c6c38fc1517bb54de27d4bf9dd0134294a3a245a923c4c14cf53b07f9

                                  SHA512

                                  4f6ab8966782d23f0553ae388687ea8edc43cfd761805a92ecd9af0720fd6809d20f180f215b4d03f504193d90de27024fb447a32b28c9517614607228aac823

                                  Download Submit

                                • C:\Users\Admin\Downloads\Unconfirmed 62298.crdownload
                                  Filesize

                                  78KB

                                  MD5

                                  a6887e308544c044b0b037991058d477

                                  SHA1

                                  45bdf69eb0a27d68d829d17dec39288e22289fc3

                                  SHA256

                                  1eee1c2a00aa839249ae6d8e1c376027c66e9849c57180a5710567338abb145d

                                  SHA512

                                  84cd2eef59f867938980922ca49bb992e6cf2062c060a7e9d5fd6ed6f5b6d3520a03d58beffa57cb67029bbd744cbd5cd61f80abc273b015ebe3632651b52bfb

                                  Download Submit

                                • memory/4608-206-0x0000019D038C0000-0x0000019D038D8000-memory.dmp

                                  Filesize

                                  96KB

                                  Download

                                • memory/4608-207-0x0000019D1DEE0000-0x0000019D1E0A2000-memory.dmp

                                  Filesize

                                  1.8MB

                                  Download

                                • memory/4608-208-0x0000019D1E6E0000-0x0000019D1EC08000-memory.dmp

                                  Filesize

                                  5.2MB

                                  Download