Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Resubmissions

03-02-2025 17:08

250203-vny6saxlev 10

03-02-2025 17:07

250203-vm5beayqap 10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2025 17:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    61cc66d0b245e378647cfe3a56a51814

  • SHA1

    b097cfda475efe6f4819b6c2db99caf744632f2f

  • SHA256

    7c52f297d8d829076e1607c1b7a7a5e584adef82a01e2520dabe6ca801fb55ed

  • SHA512

    422a99ce926f2793bff05837e9a226c937a89f59b221b0f9b346a1e7d32f423d2a3b6d8efe87111164884ef3983b6e50aace751531998c4574ea5b2e96da4b74

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+fPIC:5Zv5PDwbjNrmAE+nIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMwODUzODYxNDg0MTM0NDAyMQ.GZlTOB.ShLTCmYqgKpUZGmBxJbpfXARUmaxc_aOPfIYyU

  • server_id

    1336013454258995351

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1240
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3832
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\InitializeRepair.MTS"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4644
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\InvokeApprove.xlsb"
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
      Filesize

      83B

      MD5

      366480bd727fd4904c29eebce4bd875a

      SHA1

      c1eb162f4461d160d276f56f00609977927ef081

      SHA256

      4f07847824097c98f99d5d732bbc2842c23e676fe2a64f39c5451a0b37b07c20

      SHA512

      06a6ff451ca1509087e386b0ffc206345648c6cd088217ed20074c56ae657e34e6de7be37a347dd70e84992f9cd5b033e327fa34dfab2ad4aaba2c7ab179563e

      Download Submit

    • memory/876-63-0x00007FFD138B0000-0x00007FFD138C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-57-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-59-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-58-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-61-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-60-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-62-0x00007FFD138B0000-0x00007FFD138C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1240-3-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1240-6-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1240-5-0x00007FFD37FB3000-0x00007FFD37FB5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1240-4-0x000001E599060000-0x000001E599588000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1240-0-0x00007FFD37FB3000-0x00007FFD37FB5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1240-2-0x000001E6001D0000-0x000001E600392000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1240-1-0x000001E5FE370000-0x000001E5FE388000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4644-27-0x00007FFD4A170000-0x00007FFD4A188000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4644-35-0x00007FFD2D4A0000-0x00007FFD2E550000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/4644-26-0x00007FFD2FB30000-0x00007FFD2FDE6000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4644-30-0x00007FFD485C0000-0x00007FFD485D7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4644-42-0x00007FFD2F5A0000-0x00007FFD2F5B1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4644-41-0x00007FFD325A0000-0x00007FFD325B1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4644-40-0x00007FFD330C0000-0x00007FFD330D1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4644-39-0x00007FFD38F30000-0x00007FFD38F41000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4644-38-0x00007FFD3E270000-0x00007FFD3E288000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4644-37-0x00007FFD33460000-0x00007FFD33481000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4644-36-0x00007FFD330E0000-0x00007FFD33121000-memory.dmp

      Filesize

      260KB

      Download

    • memory/4644-29-0x00007FFD48690000-0x00007FFD486A1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4644-53-0x00007FF644E10000-0x00007FF644F08000-memory.dmp

      Filesize

      992KB

      Download

    • memory/4644-55-0x00007FFD2FB30000-0x00007FFD2FDE6000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4644-54-0x00007FFD47D10000-0x00007FFD47D44000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4644-56-0x00007FFD2D4A0000-0x00007FFD2E550000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/4644-31-0x00007FFD482D0000-0x00007FFD482E1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4644-34-0x00007FFD2F920000-0x00007FFD2FB2B000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4644-32-0x00007FFD479B0000-0x00007FFD479CD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/4644-33-0x00007FFD47990000-0x00007FFD479A1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4644-28-0x00007FFD48980000-0x00007FFD48997000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4644-24-0x00007FF644E10000-0x00007FF644F08000-memory.dmp

      Filesize

      992KB

      Download

    • memory/4644-25-0x00007FFD47D10000-0x00007FFD47D44000-memory.dmp

      Filesize

      208KB

      Download