Overview

overview

10

Static

static

3

built.sfx.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    36s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-02-2025 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    built.sfx.exe

  • Size

    550KB

  • MD5

    9f845faa8d20bca0ad5b562c49984226

  • SHA1

    5d9b152c9687f8f8e6359e5f9b3da34dc4ae1448

  • SHA256

    0fc69c69c41de8a3a9b20b7387ebda3cd6948d25da1755c20404fdefdda53555

  • SHA512

    eabcbf804b7090ad2a31af90e6072bbe86bc2d9870306dae2c4262b3588f042d4248591cc665d5167626403a5f6ced92dde7161e933aaecea08bc3b8323a3adb

  • SSDEEP

    12288:NenOND3GsvSAQoReDhwAZbmajZk/f7SGqlJ6P:gnOlW8SnXFwAtmajGOGqiP

Score
10/10
discordratpersistenceratrootkitspywarestealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMzNjE1MzM2MTU3MzIxNjM0Ng.G2Ga3O.6fY2Q_xGRBTkZD6yro26PYZ_j0hEJCFaIweb3k

  • server_id

    1335778556487139340

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\built.sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\built.sfx.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
    Filesize

    78KB

    MD5

    6c0864d8ca1b0cf25ab4545840a9e339

    SHA1

    dea1ab83bc0df17e21c88f24b32fd6b0a9ce5875

    SHA256

    4091dd7fc28d7052fb2ca8c281d892a58ea4205216932ec743c3558f5ece7ef7

    SHA512

    75fab26a7b118bc2ded2d50edb521ffe28713d8b1284f59809244b40bf983727ab122c42dfdaf98c5592527f8ac6039c59d910afa2468e0024e978bbce18b783

    Download Submit

  • memory/3508-12-0x00007FFB5DE53000-0x00007FFB5DE55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3508-13-0x000001FFA2B10000-0x000001FFA2B28000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3508-14-0x000001FFBD1F0000-0x000001FFBD3B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3508-15-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3508-16-0x000001FFBE5C0000-0x000001FFBEAE8000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3508-17-0x00007FFB5DE53000-0x00007FFB5DE55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3508-18-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3508-19-0x000001FFBD100000-0x000001FFBD176000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3508-20-0x000001FFA4890000-0x000001FFA48A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3508-21-0x000001FFA4920000-0x000001FFA493E000-memory.dmp

    Filesize

    120KB

    Download