Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Resubmissions

Analysis

  • max time kernel
    17s
  • max time network
    23s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-02-2025 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    b7d931632ff3d8290ea3c8f3b25e5e38

  • SHA1

    b7a0a8c5f44566b5b40715b86fbc96f2ff76cc16

  • SHA256

    ce28faa42ddd232b9eaaa74f541973210c43556831a8b6242bba90581db75675

  • SHA512

    a32e85fff24697c35ed0afd05b47fce0a6bada22fab651e3bfb33087335866815ae26f922bfbfb9e3ef6fb2be6e99d6f7a29de619922334127e703b592110d57

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+wPIC:5Zv5PDwbjNrmAE+0IC

Score
10/10
discordratdiscoverypersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTM0Mjg2NTI4Mjg4NDE3MzkzNQ.GO--qR.B-Xy2KTyXU4BF-yf93wQlD_kexcbEVrhnYBv_o

  • server_id

    1342834826075570286

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1084
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3024
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffeada546f8,0x7ffeada54708,0x7ffeada54718
      2⤵
        PID:2948
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        2⤵
          PID:1936
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3052
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
          2⤵
            PID:2220
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
            2⤵
              PID:1200
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
              2⤵
                PID:1520
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
                2⤵
                  PID:4688
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
                  2⤵
                    PID:1660
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
                    2⤵
                      PID:3416
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4128
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
                      2⤵
                        PID:4136
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
                        2⤵
                          PID:4444
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4398433184765346645,473293813668440780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:1
                          2⤵
                            PID:1248
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2248
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1464

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              39e376ee2f541e6b1ed0bca701e8fb59

                              SHA1

                              bfe3cc2eed8721339d433533aef6e18e0a13a9a3

                              SHA256

                              80eda1e4d8c05e257ff17ef734d606e67d8ab70b3e351430b2b231631eed5e04

                              SHA512

                              a3f082c32857db0e3dec24394a259fff85e21b6a7b057ef55933504c23ec38cbb3237eb519d38385fc53cbc584c52aaf66291f44231245d9afee509a108a3350

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              39c51e5592e99966d676c729e840107b

                              SHA1

                              e2dd9be0ffe54508a904d314b3cf0782a9a508b7

                              SHA256

                              29f29a3495976b65de3df2d537628d260bc005da5956b262ff35e9f61d3d9ed3

                              SHA512

                              b20532d0131b12603410c3cb425cb5df0ddc740f34e688455eff757802ffc854be771b30c3ff196e56b396c6fe53928a1577c8330b00f3f7b849fcf625e51bf4

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              72899ac61c6d30d5ca851e5c4bb3c7ad

                              SHA1

                              ecebcc5ef7e206381330d3b73f2d0eda86159b8a

                              SHA256

                              461af18532b143e5b3d1989663abe6375820ab482f7d492b41f958ced4160531

                              SHA512

                              baab456d02ccdb42913d864b09c088174b5f792c23afb387eb3f2d4c2c2b2dab922769c21187f36ac1845ed1d831d765fa4c6ea742f20420553ebb7cc3368c37

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              381d7186edea2094461117998c8d030f

                              SHA1

                              506afedf8935ab73014cb264ad358c40a13e9618

                              SHA256

                              8a977460624231a523e26ceac519b8951a683638aeb2105ad7ad32dc19bd5246

                              SHA512

                              083fefd8bf0dfba712e92a12f8f6d095849150b326d3eba5713ba795a8c8cbbafa0b588a5861a41d72bbf5338acedc5c10b54723f5b3afe6878cda4dc3372020

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              c8b9c214dff28cf787770c23aa6cdadd

                              SHA1

                              5ce60023f49e65b221f34b9a49c0447f93f370eb

                              SHA256

                              a802b99b9f0f4f34452e172e7c04341b1786c8ddc02d33f781c135bdabe18150

                              SHA512

                              91cb5a8673d7e01dec95c0bcacf8869ed76b571e2553092981af79fd3a7037b60826fb7682467e62f3b1f1404304a299a59b1d4cf62efb2f5b08cbeb5ce259ce

                              Download Submit

                            • memory/1084-3-0x00007FFEB31B0000-0x00007FFEB3C71000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/1084-0-0x00007FFEB31B3000-0x00007FFEB31B5000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/1084-48-0x00007FFEB31B0000-0x00007FFEB3C71000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/1084-4-0x0000023D68950000-0x0000023D68E78000-memory.dmp

                              Filesize

                              5.2MB

                              Download

                            • memory/1084-2-0x0000023D68010000-0x0000023D681D2000-memory.dmp

                              Filesize

                              1.8MB

                              Download

                            • memory/1084-1-0x0000023D4D970000-0x0000023D4D988000-memory.dmp

                              Filesize

                              96KB

                              Download

                            • memory/3024-5-0x000001D908660000-0x000001D908661000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3024-11-0x000001D908660000-0x000001D908661000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3024-13-0x000001D908660000-0x000001D908661000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3024-12-0x000001D908660000-0x000001D908661000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3024-14-0x000001D908660000-0x000001D908661000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3024-16-0x000001D908660000-0x000001D908661000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3024-17-0x000001D908660000-0x000001D908661000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3024-15-0x000001D908660000-0x000001D908661000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3024-6-0x000001D908660000-0x000001D908661000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3024-7-0x000001D908660000-0x000001D908661000-memory.dmp

                              Filesize

                              4KB

                              Download