Overview

overview

10

Static

static

10

Client-built.exe

windows11-21h2-x64

10

Resubmissions

03-02-2025 17:12

250203-vqyb9syqfp 10

01-02-2025 09:56

250201-lysx3sxjhz 10

01-02-2025 08:29

250201-kdnbesxlak 10

Analysis

  • max time kernel
    264s
  • max time network
    203s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-02-2025 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    c5fe943c63dffbd58b0f61b70ce570e3

  • SHA1

    1e0385df0eeb6078a04607866cdd0adf47646521

  • SHA256

    3fcfc7ed8a9fe616540b4e12926021b8ee515879f555a1e697961483bccb4fa5

  • SHA512

    b961ccb840443f5eb78fefa5417e22796f6e0b7272788b8fcdc6abd57262a1c2b4357050171a70af2b0e5d30a1849b081020f3498ab07e50aacbf9f60c32114b

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+RPIC:5Zv5PDwbjNrmAE+BIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMzNDg2ODQ0OTQ4MjI0ODI1NA.GmvrOG.IWZ9BB6ZJ0i5ytcVVC-P4pzKCiMdbTruowhj90

  • server_id

    1335159502953254943

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4860
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Windows\System32\SearchProtocolHost.exe
      "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
      2⤵
      • Modifies data under HKEY_USERS
      PID:244
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 828 2820 2816 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
      2⤵
      • Modifies data under HKEY_USERS
      PID:4896
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 828 2852 2848 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
      2⤵
      • Modifies data under HKEY_USERS
      PID:236
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4624
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      77a8b2c86dd26c214bc11c989789b62d

      SHA1

      8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499

      SHA256

      e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8

      SHA512

      c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

      Download Submit

    • memory/4312-6-0x00000201870F0000-0x0000020187100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4312-23-0x0000020187330000-0x0000020187340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4312-38-0x000002018B5E0000-0x000002018B5E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4860-0-0x00007FFC15393000-0x00007FFC15395000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4860-1-0x000001C34FA00000-0x000001C34FA18000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4860-2-0x000001C36A060000-0x000001C36A222000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4860-3-0x00007FFC15390000-0x00007FFC15E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4860-4-0x000001C36B2E0000-0x000001C36B808000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4860-5-0x00007FFC15390000-0x00007FFC15E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4896-54-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-59-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-45-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-46-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-47-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-48-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-49-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-57-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-56-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-55-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-43-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-53-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-52-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-51-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-50-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-44-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-58-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-60-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-61-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-62-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-63-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-64-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-65-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-68-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-69-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-67-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-72-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-71-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-70-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-66-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-42-0x0000014BCCCB0000-0x0000014BCCCC0000-memory.dmp

      Filesize

      64KB

      Download